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Abstract 

By extending the notion of minimum rank distance, this paper introduces two new relative code parameters 
of a linear code C\ of length n over a field extension F ? .» and its subcode Ci £ C\. One is called the relative 
£C) • dimension/intersection profile (RDIP), and the other is called the relative generalized rank weight (RGRW). We 

clarify their basic properties and the relation between the RGRW and the minimum rank distance. As applications 
of the RDIP and the RGRW, the security performance and the error correction capability of secure network coding, 
guaranteed independently of the underlying network code, are analyzed and clarified. Silva and Kschischang showed 
the existence of a secure network coding in which no part of the secret message is revealed to the adversary even if 
any dimCi - 1 links are wiretapped, which is guaranteed over any underlying network code. However, the explicit 
construction of such a scheme remained an open problem. We solve this open problem by proposing a new scheme 
, and clarifying its performance with the RDIP and the RGRW. 

Index Terms 

Network error correction, rank distance, relative dimension/intersection profile, relative generalized Hamming 
weight, relative generalized rank weight, secure network coding. 

^ . I. Introduction 

> ■ 

Secure network coding was first introduced by Cai and Yeung [6], and further investigated by Feldman 
^ ■ et al. [11 J. In the scenario of secure network coding, a source node transmits n packets from n outgoing 
[ links to sink nodes through a network that implements network coding flU, ifTTll . EEL and each sink node 

, J ' receives packets from N incoming links. In the network, there is an adversary who eavesdrops /j. links. 

O The problem of secure network coding is how to encode a secret message into n transmitted packets at the 
^ ! source node, in such a way that the adversary obtains as little information as possible about the message 
| in terms of information theoretic security. 

As shown in 01, |[T0ll , secure network coding can be seen as a generalization of secret sharing schemes 
^ ■ GO, ll3TTl or the wiretap channel II ll30ll to network coding. The problem of secret sharing schemes is 
e$ , how to encode a secret message into n information symbols called shares in such a way that the message 
can be recovered only from certain subsets of shares. In order to solve both problems of secure network 
coding and secret sharing schemes, the nested coset coding scheme ll40ll is commonly used to encode 
a secret message to shares/transmitted packets, e.g., it has been used in []9]|, IfTOl , ||27l , 113011 , (3JJ, [|34ll . 
The nested coset coding scheme is defined by a linear code C\ Q ~F n q ,„ and its subcode C2 £ C\ with 
dimC 2 = dimCi -/ (/ > 1) over It/7" 1 ? where V q m denotes an m-degree (m > 0) field extension of a field ¥ q 
of order q. From a secret message of / elements in F 9 »>, it generates each transmitted packet/each share 
defined as an element of ¥ qm . 

Duursma and Park [9 | defined the coset distance as a relative code parameter of C\ and C2. The coset 
distance is the minimum value of the Hamming weight of codewords in CAC2. They revealed that in the 
case of secret sharing schemes using the nested coset coding scheme, the security guarantee of the scheme 
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is exactly expressed in terms of the coset distance when the message consists of one information symbol, 
i.e., 1=1. Motivated by their result using the coset distance, we [18] generalized their analysis to a secret 
message consisting of multiple (/ > 1) information symbols. In [fT8l , it was clarified that the minimum 
uncertainty of the message given p(< n) shares is exactly expressed in terms of a relative code parameter 
of C\ and C2, called the relative dimension/length profile (RDLP) ll23l . The paper lfT8l also introduced a 
definition of the security in secret sharing schemes for the information leakage of every possible subset of 
elements composing the message by generalizing the security definition of strongly secure ramp threshold 
secret sharing schemes Il39l . It was revealed in lfT8l that this security is also exactly expressed in terms of 
a relative code parameter of C\ and C2, called the relative generalized Hamming weight (RGHW) G3ll . 
where the coset distance coincides with the first RGHW. 

The main aim of this paper is to extend the work in [18] to the security analysis of secure network 
coding based on the nested coset coding schemes, and to clarify its security performance guaranteed over 
any underlying network coded network. To this end, in Section [I] of this paper, we first introduce two 
new relative code parameters called the relative dimension/intersection profile (RDIP) and the relative 
generalized rank weight (RGRW), and give some basic properties of the RDIP and the RGRW. Similar 
to the aim of this paper, Ngai et al. ||27l introduced a code parameter called the network generalized 
Hamming weight (NGHW), and later Zhang et al. Il42l extended NGHW to the relative generalized 
network Hamming weight (RNGHW). The value of the (R)NGHW depends on the underlying network 
topology and the network code, and hence the security performance expressed in terms of the (R)NGHW 
is not guaranteed independently of the underlying network code. We will clarify the relation between the 
RNGHW and the proposed parameters in Section III-BI We note that the generalized rank weight [|29l was 
introduced by Oggier and Sboui concurrently and independently of the conference version [|20l of this 
paper, and that the generalized rank weight is a special case of the RGRW. In Section [Hi we also clarify 
that the RGRW can be viewed as a generalization of the minimum rank distance [[T4l of a linear code. 

In order to measure the security performance of secure network coding, we first define a criterion called 
the universal equivocation &^p sx , in Section Unl which is the minimum uncertainty of the message under 
observation with jj. links for the joint distribution P s x of the secret message S and the transmitted packets 
X. Although P s x have been assumed to be uniform for the definition of &^p sx in the conference version of 
this paper [|20l , we make no assumption regarding P s x in this paper. In (Si, IfTOl , Il27l , Il42l . the minimum 
uncertainty of the message was analyzed, but their analyses depend on the underlying network code. In 
contrast, ® M ,p sx is guaranteed independently of the underlying network code. Hence, it is called universal 
in the sense of Il34l . Next, we introduce the second criterion. Consider the case where &fi,p sx is less than 
the Shannon entropy of the secret message. Then, some part of the secret message could be uniquely 
determined by the adversary. It is clearly desirable that no part of the secret message is deterministically 
revealed and that every part is kept hidden, even if some information of the secret message leaks to the 
adversary. From this observation, we define the universal co-strong security to be the condition where 
the mutual information between any r ¥ q m -symbols of the secret message and observed packets from 
arbitrary to - r + 1 tapped links (1 < r < I) is always zero. Note that to is defined independently of the 
underlying network code and universal. The universal strong security defined in [fP9l , [|33l is a special 
case for to = n - 1 . 

The rest of Section [III] of this paper clarifies the universal security performance of secure network 
coding based on the nested coset coding scheme with Ci and Ci_. We first present the upper and lower 
bound of the mutual information leaked from a set of tapped links with an arbitrary distribution Psjc- By 
using this analysis, we demonstrate that the upper and lower bounds of ®/j,p sx are expressed in terms of 
the RDIP of Ci and C2 for arbitrary Ps,x, and the maximum possible value of to, defined as the universal 
maximum strength Q, is expressed in terms of the RGRW of C\ and C2. Moreover, in terms of Q, we 
express the upper bound of the maximum mutual information between a part of the secret message and 
observed packets for arbitrary P$,x, which is independent of the underlying network code. 

On the other hand, the adversary in the scenario of network coding might be able to not only eavesdrop 
but also inject erroneous packets anywhere in the network, and the network may suffer from a rank 
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deficiency of the transfer matrix at a sink node. The second aim of this paper is to reveal the error 
correction capability of secure network coding based on the nested coset coding schemes with C\ and C2. 
For the error correction problem of secure network coding, in Section [IVj we define the universal error 
correction capability against at most t injected error packets and at most p rank deficiency of the transfer 
matrix of a sink node. This is called universal because it is guaranteed independently of the underlying 
network code, as well as ®^,p sx and Q. We clarified that in secure network coding based on the nested 
coset coding scheme with C\ and C2, the universal error correction capability against t errors and p rank 
deficiency is expressed in terms of the first RGRW of C\ and C2. Although the conference version [|20l 
of this paper considered only the case where the transfer matrix is completely known to each sink node, 
the analysis in this paper includes not only the case of known transfer matrices but also the case where 
the transfer matrix is unknown to every sink node. 

As an application of the above analyses by the RDIP and the RGRW, this paper also proposes a universal 
strongly secure network coding constructed from the nested coset coding schemes with C\ and C2, and 
provides its analysis. In [34], Silva and Kschischang proposed a secure network coding scheme based on 
the nested coset coding scheme with maximum rank distance (MRD) codes C\ and C2 lfT4l . Their scheme 
guarantees that the universal equivocation ®^ Psx for p. < dimC2 equals the Shannon entropy [8] of the 
secret message S when the distribution of the transmitted packets X is conditionally uniform given S. 
This implies that no information about the message leaks out even if any dimC2 links are observed by 
an adversary. In [33 1 , they also show the existence of the nested coset coding scheme that guarantees the 
universal maximum strength Q = dimCi - 1 = n - 1 for Ci = F'^,„. However, an explicit construction of 
the nested coset coding scheme achieving Q = dimCi - 1 had remained an open problem [1331 . Inspired 
by Nishiara et al.'s strongly secure threshold ramp secret sharing scheme [|28l using a systematic Reed- 
Solomon code, Section [V] of this paper proposes an explicit construction using a systematic MRD code 
with Q = dimCi - 1, and solves the open problem. The earlier version of the proposed scheme was 
presented in the conference paper [[T9l . We note that in [19], the error correction in the scheme was not 
considered at all. With the addition of error correction, the scheme proposed in this paper is an extension 
of the earlier version. The analysis of universal security performance of the proposed scheme is provided 
as an application of the RDIP and the RGRW, which is a different approach from the analysis in the 
conference version [fl~9l and also from [031 , [1341 . We also provide an analysis of the universal error 
correction capability of our scheme as an application of the RGRW. As well as the scheme of Silva and 
Kschischang [34], the proposed scheme guarantees, independently of the underlying network code, that 
no information of the secret message is obtained from any p. < dimC2 tapped links, and that the secret 
message is correctly decodable against any t error packets injected somewhere in the network and p rank 
deficiency of the transfer matrix of the sink node whenever n - dimCi + 1 < 2t + p holds. Moreover, 
our scheme also always guarantees that no information about any r ¥ q m -symbols of the secret message 
is obtained by the adversary with p = dimCi - r tapped links (1 < r < /), unlike Silva et al.'s scheme 
[[331 , [|34l . Our only assumption in the proposed scheme is that the network must transport packets of size 
m > I + n symbols. Note that the proposed scheme completely solves the open problem posed at the end 
of Section V-B of the survey paper of Cai and Chan on secure network coding 01. 

Here again, we briefly show the structure of this paper. The remainder of this paper is organized as 
follows. Section [II] defines the RDIP and RGRW of linear codes, and introduces their basic properties. We 
also show their relations to the existing code parameters in this section. Section [HI] defines the universal 
security performance over the wiretap network model, and reveals that the universal security performance 
of secure network coding is exactly expressed in terms of the RDIP and the RGRW. In Section HVl we 
also reveal that the universal error correction capability of secure network coding is exactly expressed 
in terms of the RGRW. As an example, an explicit construction of strongly secure network coding is 
proposed in Section [Vj and its security performance and error correction capability are analyzed by the 
RDIP and the RGRW. Finally, Section [VTI presents our conclusions. 
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II. New Parameters of Linear Codes and Their Properties 

A. Notations and Preliminaries 

Let ¥ g be a finite field containing q elements and F^ be an m-degree field extension of ¥ q (m > 1). 
Let F^ denote an rc-dimensional row vector space over ¥ q . Similarly, ¥ qm denotes an n-dimensional row 
vector space over ¥ q m. Unless otherwise stated, we consider subspaces, ranks, dimensions, etc, over the 
field extension ¥ q m instead of the base field ¥ q . 

An [n, k] linear code C over F" is a ^-dimensional subspace of F" . Let C L denote a dual code of a 
code C. A subspace of a code is called a subcode 11241 . For C Q ¥ n qin , we denote by C\¥ q a subfield subcode 
C C\¥ q Il24l . Observe that dimC means the dimension of C as a vector space over whereas dimC|F ? 
is the dimension of C\¥ q over ¥ q . 

For a vector v = [v\, . . . , v n ] e ¥ n q „, and a subspace V Q ¥' qin , we denote v q = [v\, . . . , v q n ] and V q = {v q : 
v e V}. For a subspace V c ¥ n q ,„, we define by V* = X™ ' tne sum °f subspaces V, V q , ... , y^ m_1 . Define 
a family of subspaces V c F^ m satisfying V = V q by 

r(F^) = {F^ -linear subspace V c F^ : V = V 9 } . 

Also define 

r ! (F:;„,)^{yer(F^):dimy = /}. 
For r(F^,„), we have the following lemmas given in (361. 

Lemma 1 ( 061 Lemma 1]). Let V Q ¥ q „, be a subspace. Then, the followings are equivalent; 1) V e r(F^,„), 
2) There is a basis of V consisting of vectors in ¥' q . In particular, V e r(F^,„) if and only if dim V\¥ q = dim V. 

Lemma 2 ( [36]). For a subspace V c ¥ q ,„, V* is the smallest subspace in r(F^ m ), containing V. 

Lemma 3 ( [36]). For a subspace V c ¥ n qm , dim V* < mdim V. 

B. Definitions of New Parameters 

We first define the relative dimension/intersection profile (RDIP) of linear codes as follows. 

Definition 4 (Relative Dimension/Intersection Profile). Let C\ Q ¥' ql „ be a linear code and C2 5 C\ be 
its subcode. Then, the z-th relative dimension/intersection profile (RDIP) of C\ and C2 is the greatest 
difference between dimensions of intersections, defined as 

K R<i (CuC2)= max {dim (Ci n V) - dim (C 2 n V)} , (1) 

for < i < n. 

Next, we define the relative generalized Hamming weight (RGHW) of linear codes as follows. 

Definition 5 (Relative Generalized Rank Weight). Let C\ Q ¥" ql „ be a linear code and C2 £ Ci be its 
subcode. Then, the z-th relative generalized rank weight (RGRW) of C\ and C2 is defined by 

M R j(d , C 2 ) = min (dim V : V e r(¥'^), dim (d n V) - dim (C 2 nV)> z) , (2) 

for < i < dim(Ci/C 2 ). 

In ll2"9ll . Oggier and Sboui proposed the generalized rank weight that can be viewed as a special case 
of the RGRW with C 2 = {0}. 

Here we briefly explain the relation between these new parameters and the existing relative pa- 
rameters defined by a code and its subcode. For an index set I c {!,...,«}, define a subspace 
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Sj = [x = [x 1 ,...,x n \£ F^ : Xi = for i g j) c F^,„. We have dim £ T = |J|. Let A(F^) and A ; (F^ m ) 
for < i < n be collections of ¥ q „, -linear subspaces of ¥ l qin , defined by 

A^^jSjCF^Jcd n)j, 

Ai(F^) = {fij c A(F^) : dim 6 T = i] . 

The z'-fh relative dimension/length profile (RDLP) defined by Luo et al. ||23l is obtained by replacing r ; (F^,„) 
in (OQ) with A,(F^ m ). Also, the relative generalized Hamming weight (RGHW) ||23l is given by replacing 
T(¥ n ql „) in © with A(F£„). Additionally, the generalized Hamming weight (GHW) [|3H is obtained by 
replacing r(F^) in © with A(F^,„) and setting C 2 = {0}. 

Remark 6. For an arbitrary index set I c {1, . . . ,n}, a basis of £j is {e {i) = [ef, ef] : i e 1} from 
the definition of fij, where e^ = 1 if i = j, and e^ = if i j. This implies that a basis of £j consists 
of vectors in ¥ q , and hence we have fij e T(F^ m ) from Lemma \T\ We thus have A(FL) c r(F^») and 
A,(F'J,„) c T ( (F^ m ). This implies that the RDIP of linear codes is always greater than or equal to the RDLP 
of the codes, and that the RGRW of linear codes is always smaller than or equal to the RGHW of the 
codes. 

We also show the relation between the RGRW and the relative network generalized Hamming weight 
(RNGHW) B2ll . Let f be a set of some one-dimensional subspaces of ¥ n q . Each subspace in T was 
defined as a space spanned by a global coding vector lfT3ll of each link in the network coded network. 
(For the definition of global coding vectors, see Section IIII-AI or |[T3l ). Let 2 r be the power set of T . 
For 2 r , define a set of direct sums of subspaces by 

T r = \ w Q¥ n q : W = J^V,J e 2 r \ . 

{ Vej ) 

We restrict the degree m of field extension ¥ q m to m = 1, i.e., C\ and C2 are F^-linear subspaces of ¥ n q . 
Then, the RNGHW of C\ and C 2 for the network is obtained by replacing r(F'^„) in © with f T . In 
addition, the network generalized Hamming weight (NGHW) Il27ll is obtained by replacing r(F'^„) in © 
with T r and set C 2 = {0}, as the relation between the RGHW and the GHW. 

Remark 7. Note that in the definitions of RNGHW and NGHW, the field over which the global coding 
vectors are defined must coincide with the field over which linear codes C\ and C 2 are defined. Hence, 
we restricted the degree m to 1 of the field extension F^ over which C\ and C 2 are defined. In the case 
of m = 1, we have c Y(¥ qm ). Thus, the RGRW of Ci and C 2 for m = 1 is always smaller than or 
equal to the RNGHW. 

C. Basic Properties of the RDIP and the RGRW 

This subsection introduces some basic properties of the RDIP and the RGRW. They will be used for 
expressions of the universal security performance (Section Hill) and the universal error correction capability 
(Section HVT) of secure network coding. 

Theorem 8 (Monotonicity of the RDIP). Let C\ Q ¥ n q „, be a linear code and C 2 g Ci be its subcode. Then, 
the z'-th RDIP K RJ (CuC 2 ) is nondecreasing with i from K Rfl (CuC 2 ) = to K Ra {C\,C 2 ) = dim(Ci/C 2 ), 
and < K RtM (CuC 2 ) - K RJ (Ci,C 2 ) < 1 holds. 

Proof: K Ri0 (Ci,C 2 ) = and K Rn {C\, C 2 ) = dim(Ci/C 2 ) are obvious from Definition |4] By Lemma [U 
for any subspace V\ e r (+1 (F^,„), some V 2 s satisfying V 2 e Yi(¥ qm ) and V 2 J V\ always exist. This yields 
K R j(Ci,C 2 ) < K R j + [(Ci,C 2 ). 

Next we show that the increment at each step is at most 1. Consider arbitrary subspaces V, V e T(¥ qm ) 
such that dim V = dim V +1 and V £ V. Let / = dim (Ci n V) - dim (C 2 n V) and g = dim (Ci n V) - 
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dim (C 2 n V). Since dim (Ci n V) + 1 > dim (Ci n V) > dim (Ci n V) and C 2 £ d, we have f+l>g>f 
and hence Zg if (Ci, C 2 ) + 1 > K R>i+1 (C u C 2 ) > ^(d, C 2 ). ■ 
We note that if we replace r,(F^,„) with A,(F^,„) in Theorem [8] it coincides with Il23l Proposition 1] for 
the monotonicity of the RDLP 

Lemma 9. Let C\ c WL be a linear code and C 2 5 Ci be its subcode. Then, the z'-th RGRW M RJ (Ci,C 2 ) 
is strictly increasing with i. Moreover, M Rt o(Ci,C 2 ) = and 

M R ,IC U C 2 ) = minjj : K RJ (C X ,C 2 ) = i) 

= min {dim V : V e r(F^), dim (d n V) - dim (C 2 n V) = i) , 

for < i< dim(Ci/C 2 ). 
Proof: First we have 

min [j : KgJpuCi) £ i} = min {j : 3V e Tj(¥ n qm ), such that dim (Ci n V) - dim (C 2 nV)> /} 

= min {dim V : V e r(FJ,), dim (Ci n V) - dim (C 2 n V) > i} 
= MsdPuC2). 

From Theorem U we have [j : K RJ (Ci,C 2 ) = i] n {j : ^j(Ci,C 2 ) > z + l) = 0. We thus have 

M fft! (Ci,C 2 ) = minjj : K RJ (C U C 2 ) > i) 
= miny : K RJ (CuC 2 ) = /} • 
Therefore the RGRW is strictly increasing with i and thus 

M RJ (Ci,C 2 ) = min {dim V : V e T(F^), dim (Ci n V) - dim (C 2 n V) = i) , 

is established. ■ 
In ||29l Lemma 1], it was shown that in the case of C 2 = {0}, the second RGRW M R2 (C\, {0}) is greater 

than the first RGRW M RA (C U {0}). 

We note that if we replace r(PJ») and K RJ (CuC 2 ) in Lemma |9] with A(F^,„) and the j'-th RDLP, the 

lemma coincides with Il23l Theorem 3] for the properties of RGHW. Also, if we replace r(F^„) in Lemma[9] 

with Yyr, the property of strictly increasing the RGRW shown in the lemma also becomes the property 

of the RNGHW (H Theorem 3.2]. 

Now we present the following upper bound of the RGRW. 

Proposition 10. Let C\ c F^„, be a linear code and C 2 £ C\ be its subcode. Then, the RGRW of Ci and 
C 2 is upper bounded by 

M R>i (Ci,C 2 )<min{n-dimCi,(m-l)dimCi/C 2 } + ?, (3) 

for 1 < i< dim(Ci/C 2 ). 

Proof: We can assume that C 2 is a systematic code without loss of generality. That is, the first dim C 2 
coordinates of each basis of C 2 is one of the canonical bases of F^ C2 . Let S g WL be a linear code 
such that C\ is the direct sum of C 2 and S. Then, after suitable permutation of coordinates, a basis of 
S can be chosen such that its first dimC 2 coordinates are zero. Hence, a code S can be regarded as a 
code of length n - dimC 2 , and we have M R ^ mS {S, {0}) < n - dimC 2 from the definition of the RGRW. 
On the other hand, since M R tiimS (S,{0}) = dirriiS* from the definition of the RGRW and Lemma |2l and 
dim S* < mdim<S from Lemma |3l we have M R ^ tmS (S, {0}) < md\rc\S = mdimCi/C 2 . We thus have 

Aftf.ditnsGS, {0}) ^ minjn -dimC 2 ,mdimCi/C 2 }. 
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We shall use the mathematical induction on t. We see that 

MgJS,{0}) <min{n-dimCi,(m- l)dimCi/C 2 } + 1, (4) 

is true for t = dim S = dim Ci - dim C 2 . Assume that for some t > 1, © is true. Then, since the M t (S, {0}) 
is strictly increasing with i from Lemma we have 

M*,,_i(S,{0}) < M RJ (S,{0})-1 <min{n-dimCi,(m- l)dimCi/C 2 } + t- 1, 

holds. Thus, it is proved by mathematical induction that © holds for 1 < t < dim(Ci/C2). 

Lastly, we prove © by the above discussion about the RGRW of S and {0}. For an arbitrary fixed 
subspace V c WL, we have dim (Ci n V) > dim (5flV) + dim (C 2 n V), because C\ is a direct sum of S 
and C 2 . Hence, dim {C\ n V) - dim (C 2 n V) > dim («S n V) holds, and we have M Rd (C u C 2 ) < M RJ (S, {0}) 
for 1 < i< dim(Ci/C 2 ) from the definition of the RGRW. Therefore, from the foregoing proof, we have 

M R j(C u C 2 ) < M RJ (S, {0}) < min{n - dim Ci, (in - l)dimd/C 2 } + i, (5) 

for 1 < i < dim(Ci/C 2 ), and the proposition is proved. ■ 
If n - dimC 2 < mdimCi/C 2 holds and r(F^,„) is replaced with A(F^ m ), this lemma coincides with the 
generalized Singleton bound for the RGHW |]23l Theorem 4]. Also, if n - dimC 2 < mdimCi/C 2 holds 
and r(F^) is replaced with T r , i.e., the RGRW is replaced to the RNGHW, it becomes 02 Theorem 
3.4]. 

D. Relation between the Rank Distance and the RGRW 

Next, we show the relation between the rank distance [14] and the RGRW. We will use the relation 
to express the universal security performance (Section III]) and the universal error correction capability 
(Section HVl) of secure network coding. 

For a vector x = [x\,. . . ,x n ] e F^,„, we denote by S(jc) c ¥ qm an F ¥ -linear subspace of F q m spanned by 
*i, . . . , x n . The rank distance [fT4| between two vectors x, y e YL is given by d R {x, y) = 6\m ¥ii Q(y - x), 
where dim Fi? denotes the dimension over the base field ¥ q . In other words, it is the maximum number of 
coordinates in (y - x) that are linearly independent over ¥ q . The minimum rank distance [fT4l of a code 
C is given as 

d R (C) - min{ d R (x, y) : x,y e C, x ± y\ 
= min{ d R (x, 0) : x e C,x ^ 0}. 

Lemma 11. Let b e ¥ n ql „ be an n-dimensional nonzero vector over ¥ q ,„, and let (b) c ¥ n qm be an ¥ q m -linear 
one-dimensional subspace of ¥ n qm spanned by b. Then, we have dim (b)* = d R (b,0). 

Proof: Let {71, . . . ,y m } be an F^-basis of ¥ ql „. Let d = d R (b,0) = d'\vr\ Fq Q(b). From the definition of 
the rank distance, there exists a nonsingular matrix P e ¥ q xn satisfying 

b = [y l ,..., 7 d ,0,...,0] P 

-v" 

=aeF" 

For oc\ , o?2 e F 9 , /3i,/3 2 e F^, we have a\ff[ + a 2 0[ = (a\fi\ + aifii)^ (0 < i < m- 1). Thus, since P is a 
matrix over ¥ q , we have b q ' = (aP) q = a q P. Let (b,b q , . . . ,b q '" ') c F^ m be an F^» -linear subspace of ¥ qm 
spanned by m vectors b, b q , . . . , b q "' ' , then we have (b)* = (b, b q , . . . , b q "' ' ) and hence 

dim<6>* = dim0,M,...,M""') 

= d\m(aP,a q P,...,a q '"~ [ P) 
= dim {a,a q , . . .,a q "' ) 
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rank 




Since the right n - d columns of T are zero columns, we have rankT < d. On the other hand, since 
the upper-left d x d submatrix T of T is the generator matrix of [d, d] Gabidulin code 031, we have 
rankT' > d. Therefore, we have dim (b)* = rankT = d. ■ 

Lemma 12. For a code C\ Q F q ,„ and its subcode C 2 £ Ci, the first RGRW can be represented as 
M R>l (C u C 2 ) = min 0) : x e d\C 2 }. 

Proof: From Lemma [2] A^r,i(Ci,C 2 ) can be represented as 

M Ril (Ci,C 2 ) = min {dim W : W e r(F^,),dim (pi n W) - dim(C 2 n W) > l) 
= min {dim W : W e r(F^), 3v e (Ci n W)\C 2 } 
= min {dim <u>* : e CAC 2 } . 

Therefore, since dim (v)* = d R (v,0) for a vector u e ¥ n qm from Lemma [H] we have M R> \(C\,Ci) = 
mm{d R (v,0) : v 6 Ci\C 2 }. ■ 
Lemma [T2l immediately yields the following corollary that shows that M R i(-, {0}) is a generalization of 
d R (-). 

Corollary 13. For a linear code C, d R (C) = M RA (C, {0}) holds. ■ 

Here we introduce the Singleton-type bound of rank distance lfl4ll . [|22l . 

Proposition 14 (Singleton-Type Bound of Rank Distance lfT4ll . j[22l0 . Let C c F" be a linear code. Then, 
the minimum rank distance of C is upper bounded by 

d R (C) <min|l,— j(n- dim C) + 1. (6) 

Note that the right-hand side of © is n - dim C + 1 if m > n and 2(n - dim C) + 1 if m < n. A code 
satisfying the equality of © is called a maximum rank distance (MRD) code | [T4l |. The Gabidulin code 
031 is known as an MRD code. 

In the following, we shall present some extra properties of the RGRW M R ,(•, ■) and the minimum rank 
distance d R (-) by using the relation between M R j(-, •) and d R (-) shown above and the properties of the 
RGRW described in the previous subsection. In the case where m > n, Corollary \T5\ gives a generalization 
of the Singleton-type bound of rank distance 031, [|22l of C c F l q „„ and Corollary [16] shows that the RGRW 
of C\ c W qm and C 2 £ Ci depends only on C\ when C\ is MRD. Proposition [TTI presents an upper bound 
of the first RGRW by combining the Singleton-type bound of rank distance 031, 11221 of C Q ¥ n qin for 
m < n and the upper bound of the RGRW given in Proposition [TOl In the case where m < n, Corollary [T8] 
gives a tighter upper bound of the minimum rank distance of C c F^„, for m < n and dimC = 1 than that 
shown in Proposition [141 

First, Lemma |9] and Proposition ITOl yield the following corollary from Corollary [13] and Proposition IT4] 
This corollary shows a generalization of the Singleton-type bound of rank distance 031, [1221 of C Q F^ m 
in the case where m> n. 

Corollary 15. For a linear code C c W qin with m > n, M R4 (C, {0}) < (n - dim C) + i for 1 < i < dim C. The 
equality holds for all i if and only if C is an MRD code. 

Proof: From Proposition \M M RJ (C, {0}) < (n - dim C) + i is immediate. The RGRW M RJ (C, {0}) is 
strictly increasing with i from Lemma [9] and M s dimC (C, {0}) < n holds. Therefore, from Corollary [13] and 
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Proposition [EH M RJ (C, {0}) = n - dimC + i for 1 < i < dimC must hold if and only if C is MRD with 
m > n. ■ 

Next, we give the following corollary of Proposition ITOl for the RGRW of Ci Q ¥ q „, and C 2 £ C\. This 
corollary reveals that when Ci is an MRD code with m> n, the z-th RGRW M Rt i{C\,Cz) always coincides 
with the maximum possible value of M Rj (Ci, {0}), shown in Corollary [T5] regardless of its subcode C 2 . 

Corollary 16. Let m> n. Let C\ Q ¥ q „, be an MRD code and C 2 £ C\ be its arbitrary subcode. Then, the 
RGRW of Ci and C 2 is M Rd (C u C 2 ) = n - dim Ci + z for 1 < i < dim (Ci/C 2 ). 

Proo/: By the definition of the RGRW in Definition [5l we first have M Rj ,(Ci,C 2 ) > M^,(Ci,{0}). 
Hence, since Ci is MRD with m > n, we have M Ri (C\_,C 2 ) > M RJ (Cu {0}) = n - dimCi + z from 
Corollary [T5] On the other hand, we have M Ri (Ci,C2) < n — dimCi + z from Proposition [TOl Therefore, 
we have M RJ (Ci,C 2 ) = n- dim C\ + i. ■ 
By combining Proposition [14] and Proposition [TOl we also have the following proposition only for the 
first RGRW. This proposition presents an upper bound of the first RGRW, obtained by the Singleton-type 
bound of the rank distance of C c ¥ n qm for m < n in Proposition [141 

Proposition 17. The first RGRW of a linear code C\ c F^,„ and its subcode C 2 £ C2 is upper bounded by 

f ,. ,. m(n -dimCi)! 

M R i(Ci,C 2 ) < min^n -dimCi,(m- l)dimCi/C 2 , — — - ^ + 1. 

{ n-dimC 2 J 

Proof: As in the proof of Proposition \\0[ let <S £ F' q „, be a linear code such that C\ = C 2 + S. Also, 
we suppose that the first dimC 2 coordinates of S are zero without loss of generality. Since S can be 
viewed as a code of length n - dimC 2 , we have the following inequality from Proposition [T4l 

tn 

d R (S) = M R \(S, {0}) < — — {(n - dim C z ) - dim S} + 1 

n- dim C 2 

m(n - dimCi) + ^ 
zi-dimC 2 

Thus, from ©, 

m(n-dimCi) 
M RA (CuC 2 ) < M R \(S, ) < - - + 1. 

n-dimC 2 

Therefore, from Proposition [10] the corollary is proved. ■ 
The following corollary is immediately obtained from Proposition [FT] 

Corollary 18. Assume m>2. For a linear code C Q we have the following inequalities. 

{n -dimC+ 1 (n<m) 
(m-l)dimC+l (n>m,dimC=l) 
^(n-dimC) + l (n > m,dimC > 2). 



This corollary presents a tighter upper bound of d R (C) for C Q ¥ n qm than that shown in Proposition [T4l 
when m < n and dimC = 1. 

Lastly, by using the relation between the RGRW and the rank distance [fT4| presented above, we 
introduce an extra property of the RDIP K Ri (C\,C 2 ) when C\ is MRD. We define [x] + = max{0, x}. 

Proposition 19. Let C\ Q ¥ q ,„ be a linear code and C 2 £ C\ be a its subcode. Assume m > n and 
Ci be an MRD code. Then, the RDIP of Ci and C 2 is given by K R ^(C X ,C 2 ) = [u-n + dimCi] + for 
< ju < n - dimC 2 . 
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Proof: From Corollary [161 we have M RJ (Ci, C 2 ) =n- dim C\ + i for < i < dim (C1/C2). Thus, from 
Proposition [9] for i = 1, we have 

min^ : K R ^{C\,C 2 ) = l\ = n- dimCi + 1, 

and hence K Rs (C\,Ct) = for < fj. < n - dim C\ from Theorem [8] On the other hand, from Proposition |9] 
for i = dim (C1/C2), we have 

min{ju : X^(Ci,C 2 ) = dim (Ci/C 2 )} = n - dimCi + dim(Ci/C 2 ) 

=dimCi-dimC2 

= n - dimC 2 , 

and hence A"fi,„-dimc 2 (Ci,C 2 ) = dim(Ci/C 2 ). Thus, since 

^,„-dimc 2 (Ci,C 2 )-^i?,„-dimCi(Ci,C2) = dim(Ci/C 2 ) = dimCi -dimC 2 , 

holds, X Rj/J (Ci,C 2 ) = yu-n + dimCi for n-dimCi < p, < n-dimC 2 must hold from Theorem [8] Therefore, 
the proposition is established. ■ 

III. Universal Security Performance of Secure Network Coding 

This section derives the security performance of secure network coding based on the nested coset coding 
scheme [1401 . which is guaranteed independently of the underlying network code construction. 

This section first presents the network model with errors, and introduces the wiretap network model and 
the nested coset coding scheme in secure network coding. Next, we define the universal equivocation, the 
universal a>-strong security and the universal maximum strength as the universal security performance of 
secure network coding on the wiretap network model. We then express the universal security performance 
of secure network coding based on the nested coset coding scheme in terms of the RDIP and the RGRW. 

A. Network Model with Errors 

We first introduce the basic network model in which no errors occur in the network. As in fl6], [flOl . [|27l . 
(341, [|42ll . we consider a multicast communication network represented by a directed acyclic multigraph 
with unit capacity links, a single source node, and multiple sink nodes. We assume that linear network 
coding ifTTli . ||2"T1 is employed over the network. Elements of a column vector space F™ xl are called 
packets. Assume that each link in the network can carry a single F g -symbol per one time slot, and that 
each link transports a single packet over m time slots without delays, erasures, or errors. 

The source node produces n packets Xi, . . . , X„ e F^ ,xl and transmits Xi, . . . , X n on n outgoing links 
over m consecutive time slots. Define the m x n matrix X = [Xi,...,X„]. The data flow on any link 
can be represented as an F 9 -linear combination of packets X\,...,X n e F™ xl . Namely, the information 
transmitted on a link e can be denoted as b e X T e F^ xm , where b e e F^ is called a global coding vector 
(GCV) [fT3li of e. Suppose that a sink node has Af incoming links. Then, the information received at a sink 
node can be represented as an m matrix AX T e F^ xm , where A e F^ x " is the transfer matrix of the 
network constructed by gathering the GCV's of Af incoming links. The network code is called feasible if 
each transfer matrix to each sink node has rank n over F 9 , otherwise it is called rank deficient. The rank 
deficiency of the network coded network 11321 . 11341 . [1331 is defined by 

p = n - min {rank A : A at each sink node} , 

i.e., the maximum column-rank deficiency of the transfer matrix A among all sink nodes. As in |[32li . |[34li . 
Il35l . p is also referred to as p erasures. 

The above setup of the network coded network is referred to as an (n x m) q linear network [34]. We 
may also call it a p-erasure (n x m) q linear network when we need to indicate the rank deficiency p of 
the network. 
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Now we extend the basic model of the in x m) q linear network defined above to incorporate packet 
errors, as 021 , [34- 1 . We define the network model with errors as follows. 

Definition 20 (f-Error (n x m) q Linear Network). Suppose that the network is an (n x m) q linear network. 
Also suppose that at most / error packets, represented by Z e ¥' q xt , are injected from / links chosen 
arbitrarily in the network. That is, the information transported over a link e with the GCV b e is represented 
by b e X T + f e Z T e ¥ q xm , where f e e F' x ' corresponds to the overall linear transformation applied to the 
injected error packets Z on the route to the link e. Then, the network is called a t-error (n x m) q linear 
network. 

This /-error (n x m) q linear network may also be called a t- error- p- erasure (n x m) q linear network for 
the rank deficiency p. Note that in the /-error (n x m) q linear network, the information received at a sink 
node is expressed as 

y T = AX T + DZ T € ¥ N q xm , (7) 

where D e ¥ q xt is constructed by gathering / e 's of incoming links e's to the sink node, and hence D 
corresponds to the overall linear transformation applied to Z on the route to the sink node. 

The system of linear network coding is called coherent if the transfer matrix A is known to each sink 
node, otherwise it is called noncoherent. 

B. Wiretap Network Model and Nested Coset Coding Scheme 

Following 041 . 11321 . assume that in the /-error (nxm) q linear network defined in Definition [201 there is 
an adversary who observes packets transmitted on any p links. We also assume that the adversary knows 
the coding scheme applied at the source node and all the GCV's in the network. 

Let 'W be the set of p links observed by the adversary, and let B<w e F^ x " be the transfer matrix whose 
rows are the GCV's b/s associated with the links e's in f W. The information obtained by the adversary 
can be expressed by 

W T = BwX J + F^Z T 6 F^ xm , (8) 

where F<w e F^ x ' is constructed by gathering f e 's of links e's in f W, and F W Z T e F^ xm corresponds to the 
errors. In the following, we consider the reliable transmission of a secret message through this wiretap 
network model. 

The procedure of the secure message transmission over the wiretap network model is called secure 
network coding Q, |[T0l , [|27l , 11341 , [|42l . In the scenario of secure network coding, first regard an m- 
dimensional column vector space F^ ,xl as ¥ qm , and fix / for 1 < I < n. Let S = [Si,..., 5/] e ¥ l qm be 
the secret message of / packets. Under the adversary's observation of p links, the source node wants to 
transmit S as small information leakage to the adversary as possible. To protect S from the adversary, 
the source node encodes S to the transmitted vector X = [X\, . . . ,X n ] e WL of n packets according to 
some kind of coding scheme. Then, the source node finally transmits X as an m x n matrix over ¥ q to 
sink nodes through the network. In this paper, we assume that the source node knows nothing about the 
errors that occur in the network, as in the model of [1341 . 02]. 

In the secure network coding described in IfTOl , [|27l , 11341 , H2l . S is encoded by the nested coset coding 
scheme 0, AH, 071 . [1401 at the source node. In secure network coding based on the nested coset coding 
scheme, S is encoded to X at the source node as follows. 

Definition 21 (Nested Coset Coding Scheme). Let Ci c F^,„ be a linear code (m > 1), and 

C% £ C\ be its subcode with dimension dim d = dim C\—l over irV/jn . Let if/ : F^,„ — > C\jC% be an arbitrary 
linear bijection. For a secret message S e F^,„, we randomly choose X from a coset i//(S) e C1/C2. We 
make no assumption on the joint distribution P s x unless otherwise stated. 
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In 0, BUl, lfT8l , the nested coset coding scheme is called a secret sharing scheme based on linear codes. 
Definition I2T1 includes the Ozarow-Wyner coset coding scheme 11301 as a special case with Ci = F" m . 

Corresponding to X transmitted from the source node, the sink node receives a vector of ./V packets 
Y e Fgn. The decoding of S from Y will be discussed in Section ITVl 

C. Definition of the Universal Security Performance 

In order to measure the security performance of secure network coding in the above model, this 
subsection presents two criteria. The security performance measured by our criteria is guaranteed 
independently of the underlying network code, hence we call them universal. 

Let H(X) be the Shannon entropy for a random variable X, H(X\Y) be the conditional entropy of X given 
Y, and I(X; Y) be the mutual information between X and Y [8]. The entropy and the mutual information 
are always computed using log ql „. 

1) Universal Equivocation: First, we define universal equivocation as follows. 

Definition 22 (Universal Equivocation). Assume that the secret message S is chosen according to an 
arbitrary distribution P s over ¥ l qm , and suppose that S is encoded to the transmitted packets X e F" m 
by a certain coding scheme. We make no assumption on the joint distribution Ps,x- Then, the universal 
equivocation ® M ,p sx of the coding scheme is the minimum uncertainty of S given BX T for all B e F^ x ", 
defined as 

Q^ Psx = min H(S\BX J ) 

= H(S) - max I(S ;BX J ). 

We will also call max I(S ; BX J ) in the above equation the maximum amount of information leakage to 
the adversary. 

Note that the conditional entropy of S given BX T is considered in Definition [221 But, we need to 
consider the adversary in the /-error (n x m) q linear network as the model presented in Section IIII-B1 
i.e., we need to consider the conditional entropy of S given W that contains the errors, as given in ©. 
In order to justify this difference between Definition [22] and the wiretap network model, we derive the 
following proposition. 

Proposition 23. Fix a matrix B e F^ x " arbitrarily. Let S e ¥ l q „, be chosen according to an arbitrary 
distribution, and let X e ¥ q „, be chosen according to an arbitrary distribution such that S is uniquely 
determined from X by some surjection. Suppose that E e F^,„ is chosen according to an arbitrary 
distribution. Then, for W T = BX J + E J , H(S\W) > H(S\BX J ) always holds. 

Proof: Observe that S «-» BX T <-» W forms a Markov chain. By the data processing inequality [J8j , 
we have I(S ; BX J ) > I(S ; W), which implies H(S \W) > H(S \BX). ' ■ 

The statement equivalent to Proposition 1231 was given in |[42l Theorem 4.1]. This proposition shows that 
for /i tapped links, the uncertainty of at least ® M ,p sx defined by Definition [22] is always guaranteed even if 
errors occur in the network. In other words, from Proposition [231 we can see that Definition [221 considers 
the most advantageous case for the adversary in the wiretap network model given in Section IIII-BL as 
with the model considered in [1341 , I1421 . 

As the security measure for secure network coding, the maximum uncertainty of S given B^yX T for all 
possible 'TV's of tapped links was considered in [0, IfTOl . 11271 . 11421 . where m = 1. However, the security 
measure in []6l, |[T0l . 11271 . [|42~1 is dependent on the underlying network coded network, i.e., it is not 
universal. On the other hand, as defined in Definition l22l © p ,p sx does not depend on the set of possible 
•TV's of tapped links in the network. Thus, & M ,p sx is guaranteed on any underlying network code, and 
hence it is universal. 
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Silva and Kschischang proposed a scheme based on the nested coset coding scheme with MRD codes 
C\,C% Il34l with which no information of S is obtained from any dimCi - / = dimC2 links for any 
distribution of S when the conditional distribution of X given S is uniform over i/^S), provided m > n. 
That is, their scheme guarantees the universal equivocation ©dimCi-/,/**;* = H(S) for any distribution of S . 

2) Universal co-Strong Security and Universal Maximum Strength: Definition l22l defines the universal 
equivocation ® M ,p sx as the security measure for all the components of a secret message S = [S i, . . . ,S i\. 
Consider the case where ® M ,p sx < H(S), i.e., some information of the secret message leaks to the adversary. 
Then, some components of S i , . . . , S ; could be uniquely determined by the adversary. It is clearly desirable 
that no component of Si,..., 5/ is deterministically revealed and that every symbol 5, is kept hidden, 
even if some information of S leaks to the adversary. Hence, we can say that the number of tapped links 
such that every symbol S is kept hidden represents the resiliency or strength of the coding scheme against 
eavesdropping. Now we focus on such security and give the following definition as the resiliency of the 
coding scheme against eavesdropping. 

Definition 24 (Universal oj-Strong Security and Universal Maximum Strength). Let S z = (Si ■: i e Z) be 
a tuple whose indices belong to a subset Z £ {1, • • • , I}- We say that the coding scheme attains universal 
co-strong security if we have 

7(5 z ; BX J ) = 0, \fZ, Vfl e F^ HZI+1)xn , (9) 

for uniformly distributed S and conditionally uniformly distributed X given S . The maximum possible 
value of co in the scheme is called universal maximum strength Q. of the coding scheme, defined by 

Q = max [co : I(S Z ; BX T ) = 0, VZ Q [1, . . . , I}, Vfi e fJ^ izi+1)x ") . (10) 

The universal strong security defined in ||33l is a special case of Definition [24] for Q = n - 1 and 
Ci = ¥ q „, . Unlike the definition of ®^p s x in Definition [221 we have considered the case where the secret 
message S is uniformly distributed and the transmitted packets X are conditionally uniformly distributed 
given S . This is because the value of I(Sz',BX T ) is dependent on the conditional distribution of X given 
S z, while 0^,p 5 x does not have such dependence. Without assuming a joint probability distribution on S 
and X, we cannot have a meaningful sufficient condition for I(Sz',BX T ) = in (TTOi 

In Definition [241 the mutual information between a part of S and BX T is considered, and the errors 
Z contained in the eavesdropped information are not considered. This is based on the same reason that 
errors are not considered in Definition |22] That is, from Proposition [231 the universal f2-strong security 
is always guaranteed even if errors occur in the network. 

As in IfToll . I125TI . [[331 . a scheme with universal w-strong security does not leak any \Z\ components 
of S even if at most co - \Z\ + 1 links are observed by the adversary, provided that P s x satisfies the 
assumption in Definition [241 Moreover, this guarantee holds over any underlying network code as ® M ,p sx . 
Hence, co and Q are also universal. In Corollary [3T1 we will present an upper bound of I(S z\ BX T ) with 
arbitrary P s x in terms of £1 

D. Expression of the Universal Security Performance in Terms of the RDIP and RGRW 

In this subsection, we express ©^p^ and Q given in Section UlI-CI in terms of the RDIP and RGRW. 
We first give the following lemma that will be used in the analysis on the security performance. 

Lemma 25. Let C\ Q ¥ n q ,„ be a linear code and d £ C\ be its subcode. For an arbitrary subspace V Q ¥ q ,„, 
we have 

dim (Ci n V) - dim (C 2 nV) = dimCi/C 2 - dim (Cj n y ± ) + dim (Cf n y ± ). 

Proof: 

dim (Ci n V)-dim (C 7 n V) 

^ " " v- " 

^i-dirrUCinV)- 1 - ^i-dirTKX^nV)- 1 - 
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= dim (C 2 n V) x -dim (Ci n V) x 

=c^+v x =cf+v x 
= dim (Cf + V x ) - dim (Cf + V /± ) 

= {dim Cf + dim V ± - dim (C£ n V ± )} - {dim + dim V x - dim (Cf n V ± )} 
= dim Cf - dim Cf -dim (Cf n y ± ) + dim (Cf n V x ) 

=n-dimC2 =n-dimCi 

= dimCi - dimCj -dim (Cf n y ± ) + dim (Cf n y ± ). 

dimCi/C 2 



We note that Lemma [25] is a generalization of Forney's second duality lemma [fT2l which shows that 
the dual of the intersection of a code C c F ql „ and a subspace V e A(Fj m ) is the projection of the dual 
code C" 1 " to the support set |[T2l of V. Because, when C 2 = {0} and V e A(¥L), Lemma [251 yields 

dim (Ci n V) = dimC^ -dim y ± + dim (Cf n y ± ) 

«-dimC| 

= n - d i m y x -(dim Cf - dim (Cf n y x )), 

dim V 

where dim Cf - dim (Cf n V- 1 ) equals the dimension of the projection of Cf to the support set of V. Thus, 
if C2 = {0} and V e A(F^ m ), Lemma |25] becomes Forney's second duality lemma. 

Here, we give a lemma for the mutual information between the message and information observed 
by the adversary. From now on, for a matrix M e F^", we represent a row space of M over F q m by 
row(M) = {uM : u e F^,„} c F q ,„. For a set denote by the random variable uniform on 3K. For a 
random variable V and a set Jl(V) depending on V, denote by U^y) the random variable conditionally 
uniform on J\{V) given V. For three random variables A, B, C, denote by D(A\\B) the relative entropy 
(H between probability distributions P A and P B . Also we denote by D(A\\B\C) the conditional relative 
entropy [8] between two conditional probability distributions P A \ C and P B \c given C. 

Lemma 26. Let Ci c F ql „ be a linear code and C2 £ Ci be its subcode with dimC2 = dimCi - /. Assume 
that a random variable S e F' qm is chosen according to an arbitrary distribution over ¥ l qm . For a bijective 
function ij/ : F' ym — > C1/C2 and given 5, let X e F^,„ be a random variable arbitrarily distributed over a 
coset i/KS) £ Ci /C 2 . Fix a matrix 5 e F^*" over F^ arbitrarily, and let W T = BX T e F^* 1 . Then, we have 

I(S; W) < dim (Cf n row (5)) - dim (Cf n row (5)) + DiXWU^S), (11) 

and 

7(5 ; W) > dim (Cf n row (5)) - dim (Cf n row (B)) - D(S \\U S ), (12) 

where we have written S = ¥' qm for the sake of simple description. If both S and X are uniformly distributed 
over F* and Ci respectively, the equalities in CCD and (H2} hold, i.e., I(S; W) = dim(Cf n row (B)) - 
dim (Cf n row (5)). If I(S ; W) = holds for a distribution of S that assigns a positive probability to every 
element in ¥ l ql „, then we have dim (Cf n row (5)) - dim (Cf n row (5)) = 0. 

Proof: We first recall that for random variables A e Ji and fi e S, we have the following relations 
among the conditional entropy and the (conditional) relative entropy flU: 

H(A) = log - D(A\\Uft), (13) 
tf(A|fl) = E B [log W)|] - D(A\\U m) \B), (14) 

where A e jft(b) with probability one given B = b and E denotes the expectation. In the following, we 
will use these relationships to prove the lemma. 
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Recall that for given 5 = s as a realization of 5, there exists a unique coset i/^s) e C1/C2. Also 
observe that for given W = w as a realization of W, there exists a unique coset <Y(uO = {x e C\ : Bx T = 
w T } e Ci/irowiB) 1 - n Cy). Observe that X belongs to if/(s) n X(w) when 5=5 and W = w, and that 
log^ n = log 9 ,„ |C 2 n rowti?)- 1 ! = dim (C 2 n rowtT?)- 1 ) for any 5 and w. Thus, by (fl4T> , we have 

H(X\S, W) = dim (C 2 n row^) - D(X\\U mnX(W) \S , W). (15) 

Also observe that X is distributed over X(w) when W 7 = w, and that \og qm \X(w)\ = \og ql „ \Ci n row (B) ± \ = 
dim (Ci n row^)" 1 ) for any w. Thus, by (HU), we obtain 

H(X\W) = dim (Ci n row(5) ± ) - D(X\\U X(W) \W). (16) 

Recall that X is distributed over a coset i/^s) e C1/C2 for fixed 5=5, and log 9 „, \if/(s)\ = dimC 2 for any 
s. Thus, by (fl4l) . we have 

77(X|5) = dimC 2 -D(X\\U m \S). (17) 

Let a subspace 'W = {xB T : x e Cj|. For the cardinality of f W, we have log ql „ \W\ = dim 'TV = 
dim Ci - dim (Ci n row^)- 1 ). Thus, by CLU), we have 

H(W) = \og q ,„ \<W\ -D(W\\U W ) = dimCi -dim(Ci n row (5) x ) - D(W\\U<w). (18) 

By expanding 7(5 ; W) and substituting (fT5T) . (flTT) and (fT8l into the expanded equation ([191 ), we obtain 

7(5 ; WO = 7(5 , X; W) - I(X; W\S ) 

=H{W)-H(W\S,X) =H(X\S)-H(X\S,W) 

H(W) -H(W\X) 

=dimCi-dim(Cinrow(B) ± )-D(W||f/T V ) (by [HQ) =0 

77(X|5) + H(X\S,W) (19) 

=dimC 2 -£>(A'||^ ( 5 ) |S) (by (T7J) =d\m(C2nrow(B) L )-D(X\\U l/ ,(S)nX(W)\S,W) (by (BJ) 

= dim Ci - dim C 2 -dim (Ci n row (5)- 1 ) + dim (C 2 n row (5)- 1 ) 
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+ D(X\\U HS) \S) - D(W\\U<w) ~ D(X\\Uf iS)nXm \S, W) 
< I - dim (Ci n row(5) ± ) + dim (C 2 n row(5) ± ) + D(X\\U^ S )\S), 
= dim (C2 n row (B)) - dim (C| n row (5)) + D(X||£/ WS) |5), (by Lemma 

which proves (fTTT ). 

On the other hand, observe that 

77(5 \W) < dim (d n row (5) ± ) - dim (C 2 n row (5) x ), 

because the number of possible 5 for any given W = w is exactly equal to ^dim^nroww^/gmdim^nroww^ 
Thus, 

7(5; W) = 77(5) -77(5 1 W) 

> 77(5 ) - dim (Ci n row (fl)- 1 ) - dim (C 2 n row (B^) 

= 77(5 ) - / + dim (C£ n row (5)) - dim (Cf n row (5)) (by Lemma |25]> 

= dim (C2 n row (5)) - dim (Cf n row (5)) - D(5 ||£/ 5 ) (by CL!) 

which proves (fT2T) . 

Here, we show the equalities in (fTTT) and (fT2l) for the uniformly distributed 5 and X. Assume that 5 is 



uniform over ¥ qm . Then, from (|T3I) . we have D(5||t/,s) = l-H(S) = 0. Also, when X is uniform over C\, 
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i.e., uniform over tfr(S), we have H(X\S) = dimC 2 and hence D(X\\U m \S) = dimC 2 - H(X\S) = from 
(PT4l) . Therefore, the equalities in (|TTb and (fT2l hold. 

Finally, we show the last statement for the distribution of S that assigns a positive probability to every 
element in ¥ l q ,„. Fix the distribution of X over if/(s) given S = s arbitrarily. Let P s be a distribution of S 
such that all elements in F^,„ have positive probabilities, and assume that I(S ; W) = holds for P s . Recall 
that the mutual information is expressed in terms of the relative entropy [8] as 

= I(S;W) = Y J Ps(s)D(W s \\W), 

s 

where W„ is the random variable with the distribution P\y\s=s- Thus, D(W 4 ||W0 = 0, i.e., P\y\s=s = Pw, 
simultaneously holds for all s e F^,„ from the nonnegativity of relative entropy [HJ. Here, consider another 
random variable S' with an arbitrary distribution P s >, and the corresponding random variable W. Then, 
the distribution P w is the convex combination of P w . Thus, we have Pw\s'=s = Pw, D(W' S/=S \\W) = 0, 
for all s e F l qm since Pw\s=s = Pw f° r ai l s e Hence, for an arbitrary distribution P s >, we obtain 

7(5'; = J]Ps(s)D(W' s ,J\W) = 0. 

This equation holds for uniformly distributed S' over F^,„, i.e., for the case where D(S'\\Us) = 0, and 
hence we have = I(S'; W) > dim(C2 n row (7J)) - d\m(Cf n row (5)) from (HU). Therefore, since 
dim n row (5)) - dim (Cf n row (5)) > holds, we have dim (C^ n row (5)) - dim (Cf n row (5)) = 0. 

■ 

Note that the matrix 5 in Lemma [261 is defined over the field extension F^», while the transfer matrix 
B to the wiretapper is restricted to the subfield ¥ q in the wiretap network model defined in Section IIII-BI 

Cai and Yeung 0, O, jH considered the security condition of secure network coding such that the 
adversary obtains no information of the secret message when S and X are chosen according to distributions 
that assign positive probabilities to all the secret messages and the transmitted packets [4, Lemma 3.1]. 
Their security condition corresponds to the last statement in Lemma [26] and the fact that I(S ; W) = 
when dim(C2 n row (B)) = dim(Cf n row (B)) holds and X is conditionally uniform over ifr(S) given S 
from (TTTT) . Note that in the last statement in Lemma |26l we made no assumption on the distribution of X, 
unlike 0] Lemma 3.1]. For an arbitrary joint distribution of S and X, Zhang and Yeung PTTl generalized 
the security condition of [|3), [GO, fl6l that corresponds to the last statement in Lemma [261 We should 
note that in the last statement in Lemma [26l we assumed the distribution of S that assigns a positive 
probability to every message, in order to express the condition in terms of the dimensions of subspaces. 
The proof of Lemma [26] can be adapted to the case of arbitrarily distributed S , and we can easily show 
that if I(S;W) = for P s , we have 7(5'; W) = for any TV satisfying {s : P s ,(s) > 0} c {s : P s (s) > 0}. 
Further, unlike [|3], [13 , fl6l, PTI. Lemma 1261 additionally derived the upper and lower bounds of the mutual 
information leaked to the adversary by using the relative entropy for arbitrarily distributed S and X. In 
the following, we shall derive the security performance expressed in terms of the RDIP and the RGRW 
by using Lemma [26] which is guaranteed independently of the underlying network coded network. 

Here we recall that if an ¥ a m -linear space V c F" admits a basis in F" then V 6 r(F" ) by Lemma CD 
Since the transfer matrix B is defined over the base field ¥ q in Section IIII-BI this implies 

row (5) er(F^). (20) 

We give the following theorem for the maximum amount of information leakage to the adversary, 
defined in Definition l22l 

Theorem 27. Consider the nested coset coding scheme with Ci, C2 and if/ in Definition [2T1 Then, the 
maximum amount of information leakage to the adversary, defined in Definition [221 is in the range of 

K^iC^Cf) - D(S\\U S ) < max I(S;BX T ) < K Rttl (C^,Ci) + D(X\\U m \S), (21) 

BeF^ x " 
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where we have written S = ¥ m for the sake of simple description. If both the secret message S and the 
transmitted packets X are uniformly distributed over F l q ,„ and Ci respectively, the maximum amount of 
information leakage exactly equals max I(S ; BX J ) = Kr^Co, Cf). If the maximum amount of information 

BeF' 9 ' x " 

leakage is exactly zero for a distribution of S that assigns a positive probability to every element in F^,„, 
we have K RM (Cf,Cf) = 0, which corresponds to El Lemma 3.1]. 

Proof: Let B e F^ x " be an arbitrary matrix. By (EOT ) we have 

{row (B):Be Ff} = |J L(F^). (22) 

From Lemma [26j we have 

max I(S;BX T ) < max ld\m(Cf n row(fl)) - dim (Cf n row(B))} + D(X||£/ W) |5), (23) 

BeFf" BeFf " 

and 

max I(S;BX T ) > max {dim(Cf n row (5)) - dim(Cf n row (5))} - D(S||t/ 5 ). (24) 

BEFf BeF^ x " 

For the first terms on the right-hand side of (|23l and (1241 . we have 

max {dim (Co n row (5)) - dim (Cf n row (5))} 

BeFf " 

= max {dim (Co n V) - dim (Cf n V)} (by <|22J) 

VeU,<„r,-(F^) 

= max {K R>i (C2 , Cf) (by Definition g]>. 

= ^(C^, Cf) (by Theorem ©. (25) 

Therefore, we have (|2TT ). 

If 5 and X are uniform over FL = <S and Ci respectively, we have I(S;BX T ) = dim(Cf n 
row (5)) - dim(C| n row (5)) from Lemma [26j Therefore, for the uniformly distributed S and X, we 
have max BeF? x„ /(S ; 5X T ) = i^(Cf,Cf) by ([25]). 

Finally, we prove the last statement. Assume that max fe ^» I(S ; BX T ) = holds for a distribution of S 
that assigns a positive probability to every element in ¥ l ql „. Then, we have dim (Cj n row (5)) - dim (Cf n 
row (5)) = simultaneously for all 5 e F^ x " from Lemma 1251 Therefore, we have K R ^(Cf,Cf) = 0. ■ 

This theorem includes the condition such that the maximum amount of information leakage is exactly 
zero. This corresponds to the security condition of secure network coding given in [|3)-[|6j, for all possible 
sets of tapped links, as Lemma l26l for one set of possible tapped links. We note that while our condition 
is independent of the underlying network code, i.e., universal, their security condition is dependent on the 
underlying network code. Further, as Lemma |26j we should note that the distribution of X is arbitrary in 
the last statement in Theorem [27] 

Theorem [27] immediately yields the following proposition for the universal equivocation. 

Proposition 28. Consider the nested coset coding scheme with C\, C2 and iff in Definition [2T] Then, the 
universal equivocation Q^p^, defined in Definition [22] is in the range of 

H(S) - D(X\\U m \S) - K R ^(Cf,Cf) < %, Psjl < I - K R ^(Cf,Cf). 

When both the secret message S and the transmitted packets X are uniformly distributed over F^,„ and C\ 
respectively, we have ® M ,p sx = I - Kr^C^ ,Cf). ■ 

Also from Theorem [27] we have the following corollary by the RGRW. 
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Corollary 29. Consider the transmission of X e F^„, over the wiretap network, which is generated from 
the secret message S by the nested coset coding scheme with C\, C2 and iff, defined in Definition [2T1 Then, 
1) if the adversary observes /j. < M R j(Cf,Cf) links (1 < j < T), the maximum amount of information 
leakage in Definition [22] is at most j - 1 + D{X\\U^,(S)\S) between S and observed packets; 2) if the 
adversary observes /j. > MnjiC^Cf) links (1 < j < I), then the maximum amount of information leakage 
is at least j - D(S\\Us) between S and observed packets, where S = ¥ l qm ; 3) if the adversary observes 
H = M R j(Cf,Cf) links, there exist P sx and B by which the adversary obtains the mutual information j 
between S and observed packets BX T ; and 4) If the maximum amount of information leakage is exactly 
zero for a distribution of S that assigns a positive probability to every element in ¥ l q ,„, the number of 
tapped links is /u < MgjiC^Cf), which again corresponds to [31 Lemma 3.1]. 

Proof: Since we have minjju : K R41 (Cf,Cf) = jj = M R j(Cj,Cf) from Lemma [9] we obtain 
K R ^(Cf,Cf) = j and K R ^ Y {Cf,Cf) = j - 1 f or fi = M RJ (Cf,Cf). This implies that from Theorem [27] 
the maximum amount of information leakage is at most j— \ + D(X\\U^s)\S) from less than Mr^Cj.C^) 
links. Also, the maximum amount of information leakage is at least j — D(S\\Us) from M R j(Cf,Cf) or 
more links. We note that D(S\\U S ) = D(X\\U#(S)\S) = when S and X are uniformly distributed. Thus, 
statements l)-3) are proved. 

When max geP "x« I(S ; BX T ) = holds for a distribution of S that assigns a positive probability to every 

element in P qm , we have K R ^(C^, Cf) = from Theorem[27] and M RA (C^, Cf) = min {/u : K R ^(C^, Cf) = l) 
holds from Lemma [9] Therefore, statement 4) is proved. ■ 

Statement 1) in Corollary [29] shows that if the transmitted packets X are chosen uniformly at random 
from a coset rf/(S ) given S , the adversary obtains no information of the message S from any Mr^C* , Cf)- 1 
links, independently of the distribution of S . In contrast, if X is not uniform and D(X\\U^js)\S) > 0, the 
information of S leaks out from less than Mr^C^Cj") links. 

In |[29] Proposition 2], Oggier and Sboui introduced a special case of Corollary [29] for j = 1, C\ = F^ m 
and uniformly distributed X eC\, in terms of the minimum rank distance. Namely, they showed that the 
adversary obtains no information of S from any d^Cf) - 1 = M^iCf, {0}) - 1 links. 

Ngai et al. lETTl and Zhang et al. [1421 analyzed the lower bound of the uncertainty of the secret 
message by the (R)NGHW in the case where the transmitted packets X are uniformly distributed over 
i/f(S). Proposition |28] and Corollary [29] correspond to their results using (R)NGHW. We should note that 
unlike [|27l , B2l . we considered the case where both S and X are arbitrarily distributed, and derived both 
upper and lower bounds. Further, while our analyses using the RDIP and the RGRW are universal, the 
analyses using (R)NGHW in GTll . Il42l are dependent on the underlying network code. 

Lastly, we express £1 in Definition [24] in terms of the RGRW. In order to derive £1, we first introduce the 
following proposition that reveals the mutual information between a part of the message S and observed 
packets of the adversary in the case where S and the transmitted packets X are arbitrarily distributed. 

Proposition 30. Consider the nested coset coding scheme and fix C\, Ci_ and iff in Definition [2TJ For a 
subset X, £ {1, • • • , let S z - (S , ■ : i e X), and C^z be a subcode of C\ defined by 

C 3 ,z= [J W 1,..., S,]). (26) 

Si=0:ieZ, 
SjeBjn-.jtZ 

Also, define a bijective function if/ z '■ FS — * Ci/C^z by 

<Az(Sz)= U «A([S 5/]). (27) 

Then, the maximum amount of the mutual information between S z and BX T is in the range of 

K R ^(Cl z , Cf) - D(S z \\U Sz ) < max I(S Z ; BX T ) < K^(C^ Cf) + D(X\\U^ z{Sz) \S z ), (28) 
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where we have written <S Z = F ZI . If both S and X are uniformly distributed over ¥ l qm and C\ respectively, 
it exactly equals max I(S Z ',BX J ) = K R JC^,Cf). 

BePf" 

Proof: For a subset Z c {1, . . . ,/}, C3, z linear subspace satisfying C2 Q Cs, z - C\ and 

dim 03,2: = dimCi - \Z\- Hence, the information leakage of S z in the nested coset coding with C\ and 
Ci according to P s x is equal to the one in the nested coset coding scheme with Ci and C^x according 
to Ps z ,x, where Ps z ,x is the joint distribution of S z and X. Thus, by Theorem [271 (1281) holds. Assume 
that S and X are uniformly distributed over ¥ l qm and C\, respectively. Then, S z is uniform over F ZI , 
and from the definition of fa in (1271 ), X is also uniform over iA z (<S z ) given S. Therefore, we have 
max &F; » 7(5 z ; 5X T ) = K R>fl (C^, Cf). " ■ 

From Proposition l30l and the definition of the maximum universal strength Q. in Definition [24l we give 
the following upper bound of max BeF ^ n I(S z ; BX T ) for arbitrarily distributed S and X, which is expressed 
in terms of Q. 

Corollary 31. Consider the nested coset coding scheme defined in Definition |2H with the maximum 
universal strength Q. Then, for fixed fi and Z Q {1, . . . , /}, we have 

max I(S Z ; BX J ) < ]jx - Q + \Z\ - 1] + + D(X\\U^ z{Sz) \S z ), 

where fai^z) 1S defined by (1271) . 

Proof: When S and X are uniformly distributed, we have max M p» I(S z ; BX J ) = K Rf/ (C^ z , Cf) from 
Proposition l30l Recall that the RDIP K R ^(C^ z ,Cf) is monotonically increasing with fi from Theorem [8] 
and that max geF ^„7(S z ;7iX T ) = if ju < Q. - \Z\ + 1 from Definition EH We thus have K R ^(Cf z ,Cf) < 
[p.-Q + \Z\- 1] + . Therefore, from Proposition [301 we have max g€F exn 7(S Z ; BX T ) < K R ^(C^ z ,Cf) + 
D(X\\U^ z( s z) \S z ) < \M ~ + \Z\ ~ 1] + + D(X\\U tz{Sz) \S z ) for arbitrarily distributed S and X. ' U 

This corollary shows that if the maximum universal strength Q. is known, the maximum amount of 
information leakage of S z to the adversary can be estimated by calculating D(X\\U^ z (s z )\S z ) depending 
on distributions of S and X. This also implies that when D(X\\U Z )\S z) > for some Z, a part of 
the secret message might be revealed to the wiretapper from fi < Q. - \Z\ tapped links. Here, we note 
that D(X\\U^ z ( Sz )\S z) is always zero for any ijj and any Z when S and X are uniformly distributed 
over F^,„ and C\, respectively. From these observations, we can say that since S and X are assumed to 
be uniform in Definition [241 the maximum universal strength Q represents the resiliency of the scheme 
against eavesdropping in the ideal environment in which every part of the secret message is hidden. 

By Proposition [301 we have the following theorem which exactly expresses Q in terms of the RGRW. 

Theorem 32. Fix C\,Ci and t/r in Definition I2T1 and consider the corresponding nested coset coding 
scheme. For a subset Z c {1, ...,/}, let S z — (£,•: i € Z) and Cxz be a subcode of Ci, defined by (|26l) . 
Then, the universal maximum strength Q. of the scheme, defined in Definition [241 is given by 

Q = min{M«, 1 (C 3 J ; z ,Ct) + |Z| : Z Q {1, ...,/}}- 2. 

Proof: The universal maximum strength Q., i.e., the maximum value of a>, is given as 

Q. = max [to : 7(5 z ; BX T ) = 0, VZ Q {1, . • . ,/}, Vfi e F^ IZI+1 } 

= minjyu : Zc {1, ...,/}, 35 e F^ HZI+1)X ", 7(5 z ; 5X T ) = 1 ) - 1 (by Definition [241) 

= min {// + |Z| - 1 : Z Q {1, ...,/}, 3B e Ff", 7(5 Z ; 5X T ) = l) - 1 

= min {min iu:3B<= Ff \ 7(5 z ; 5X T ) = l) + |Z| - l) - 1 

= min J min \ a : max 7(5 Z ; BX T ) = 1 1 + \Z\ - 1 1 - 1 
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= ^rnin {min{,u : K R ^(Cj z ,Cf) = l) + \Z\ - l} - 1 (by Proposition |3DJ 
= min \m r !(Ct r , Cf) + \Z\] - 2. (by Lemma H 

Zc{l,...,Q I ' ' 

■ 

In order to derive the exact value of Q., we must calculate the RGRW's of Ci and C^x^ f° r a ^ possible 
Z's as shown in Theorem [32] Thus, the calculation of Q involves the search for the minimum value of 
the RGRW over the exponentially large set for /. Here, we give the upper and lower bounds of Q. The 
bounds can be obtained by calculating only I values of RGRW's, hence they are useful for estimating the 
value of Q, in nested coset coding schemes. An upper bound of Q, is simply obtained by Theorem 1321 as 
follows. 

Proposition 33. Fix C\,C 2 and iff in Definition [211 and consider the corresponding nested coset coding 
scheme. For i c {1, ...,/}, let C-i^ be a subcode of C\, defined in (|26l ) for Z = {*'}• Then, the universal 
maximum strength Q of the scheme is upper bounded by 

Q < rmn{M Ril (C3 M ,Ct) : 1 </</}- 1. 

■ 

We also give a lower bound of Q. For a subset 3 £ {1, • • • , N] and a vector c = [c\, . . . ,c N ] e F^„, 
let Pj(c) be a vector of length \J'\ over F^m, obtained by removing the f-th components c t for t $ 
J. For example for J = {1,3} and c = [1,1,0,1] (N = 4), we have Pj(c) = [1,0]. The punctured 
code Pj(C) of a code C e is given by Pj(C) - \Pj{c) : c eC}. The shortened code Cj of a 
code C £ F^L is defined by Cj - [Pj(c) : c = [c\, . . . ,c N ] e C, c { = for i £ JT}. For example for C = 
{[0,0,0], [1, 1,0], [1,0, 1], [0, 1, 1]} (N = 3) and J = {2,3}, we have Cj = {[0,0], [1, 1]}. 

Proposition 34. Fix C\,C 2 and iff in Definition [2T1 and consider the corresponding nested coset coding 
scheme. Define a lengthened code of C\ by 

Cj = {[5,X] : 5 e F^ and X e <A(5)) c Fj?. 

Let {/} - {1, . . . , / + n}\{i}. For each index 1 < i < I, we define a punctured code £>i (i of C' t as T)\ j — 
Pji- } (C[) £ FjT -1 , and a shortened code £> 2 ,; of C; as D 2J = (CJjfi £ FjT -1 . Then, the universal maximum 
strength Q of the scheme is lower bounded by 

Q > min [M RA (D^ ti , : 1 </</}- 1. (29) 

Proof: From the definition of C' v !D 2i is a subcode of 2\ ; with dimension dim !D 2i = dim £>! , - 1 = 
dim Ci - 1 over F^ for each z e {1, . . ., /}. Let £ - {1, . . . , 1} and 5x\|i| - [Si,.. .,S^i,S i+l , ... ,5/] for 
1 < i < I. For S j e F q »< , define a coset 

T(Sd = {[S £m ,X] : S £Kli] e F 1 ^ and X e if/([S u . . .,S,])} e D U /D 2J . 

Here we define Z^r = Pj^([S,X]) = [S £\^,X] e £>!,-. Recall that S i, ... ,5 / are mutually independent and 
uniformly distributed over Jr^m . Thus, Zjjt can be regarded as the one generated from a secret message 
Si e F q m by a nested coset coding scheme with D\i and ( D 2 i according to the uniform distribution over 
t(S ,), that is, Zjjj e t(5,) is chosen uniformly at random from t(5,) e !Dij/!D 2 j. Therefore, we have 
I{Si\DZL) = for any D e Ff (M) whenever p. < M R>1 (£)^.,£)^.) from Corollary H3 

For an arbitrary subset K Q £\{i), define a matrix F K that consists of 1^1 rows of an (Z - 1) x (/ - 1) 
identity matrix, satisfying [S j : j e K] 1 = F^S^.^^. For an arbitrary matrix B e F k q xn (0 < k < n), set 

D = J ^ g J . Then, from the foregoing proof, we have 

= 7(5 f, DZ T -) = 7(5 ,■; S n , BX T ), (30) 
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whenever |K| + k < M X {D^,D\). Let R' = K U {z} = {n, . . . , r m+l }. Since S u ...,S t are mutually 
independent, the mutual information between SV an d BX T is given by 

I(S K ,;BX J ) = H(Sk>) - H(S K ,\BX T ) 

|«|+1 

= £ tf(S r .) - Yj H(S rj \BX T ,S ln _ rj _ l} ) 

7=1 7=1 

= ^ ^(S ; bx t , s { n ,...,r ; _i})> 

7=1 

from the chain rule [8J. Since the mutual information is nonnegative [[HI, we have I(Sn>;BX T ) = if 
and only if I(S r .; BX T , S (n >-->j# . = for all r ; - e By substituting z = r ; - in (1301 ), we always have 
I(S rj ;BX J ,S {ri J rj _ l} ) = only for r ; - if + /c < Afi(£^; ). Thus, we always have I(S K r,BX T ) = 

for arbitrary k and T?' whenever |^| + k < minjM^D^'^i";)! - J : - 4 holds. Therefore, we prove that the 
universal ct»-security is attained whenever oj < min ^M R j(Dj ,-, ^f,) : 1 < / < /}, and we have (l29l) . ■ 

Remark 35. In IfTSll . the security analysis of secret sharing schemes based on linear codes was given 
in terms of the relative dimension/length profile and the relative generalized Hamming weight [|23l . By 
replacing the RDIP and the RGRW in all the theorems given in this section with the RDLP and the 
RGHW and restricting shares to be uniformly distributed over Ci, we can obtain the theorems presented 
in IfOn . In particular, Theorem 1271 and Proposition 1281 become [fT8l Theorem 4], and Corollary |29lbecomes 
lfT8l Theorem 9, Corollary 11]. Also, Theorem 1321 and Theorem 1341 become [18, Theorem 12], where we 
note that in the case of secret sharing schemes, the exact value of Q in Theorem [32] coincides with its 
lower bound given in Theorem |34| 

Remark 36. In Il27ll . 11421 . the security analysis of secure network coding in the case of packet length 
m = 1 was given in terms of the (relative) network generalized Hamming weight (R)NGHW. By replacing 
the RGRW with the (R)NGHW and restricting transmitted packets to be uniformly distributed over Ci, 
Corollary [29] becomes [[271 Theorem 7], [42. Lemma 4.3]. Note that since the (R)NGHW is determined 
according to the GCV's of all links as we explained in Section III-Bl their security analysis by the 
(R)NGHW is dependent on the underlying network code construction, unlike our analysis by the RDIP 
and RGRW. 

IV. Universal Error Correction Capability of Secure Network Coding 

This section derives the error correction capability of the nested coset coding scheme by using 
the approach in [32, Section III], which is guaranteed independently of the underlying network code 
construction. We shall consider the error correction not only over the coherent system of network coding 
but also over the noncoherent system. 

First, we give a definition of error correction capability in secure network coding, and introduce the 
coding scheme for the noncoherent network coding system. Next, we briefly review Silva et al.'s approach 
|[32l Section III]. By using their approach, we analyze and express the error-correction capability of the 
nested coset coding scheme in terms of the RGRW over the coherent network coding system. We finally 
extend the analysis to the noncoherent systems. From now on, only one sink node may be assumed without 
loss of generality. 

A. Definition of Error Correction in Secure Network Coding 

Now we consider a coding scheme that is a generalization of the nested coset coding scheme, described 
as follows. 
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Definition 37. Let S be a set of possible secret messages. Let P s be a collection of sets of rc-dimensional 
vectors over ¥ qm such that = \S\ and each element in Ps is a non-empty set. Assume that there exists 
a certain bijective function between S and P s . The coding scheme first maps a secret message S e S to 
a unique set <Y S e !Ps c F^ m ,|,Ys| > 0) of n-dimensional vectors by the bijective function. Then, an 
element X e Xs is chosen from Xs and served as n packets transmitted through the network. 

Here we note that in the nested coset coding scheme with Ci and C2, S = FL, X s = if/(S) e C1/C2 
and Vs = {^s '■ S e S} = C1/C2, as defined in Definition [2T1 The reason we consider Definition |37l is that 
we need to analyze the error correction capability in generalized fashion in the case of the noncoherent 
network coding system, due to the modification to the nested coset coding scheme as described later in 
Section IIV-A21 For this generalized coding scheme, we define the following error correction capability in 
the model of network coding described in Section IIII-AI 

Definition 38 (Universally J-Error-p-Erasure-Correcting). Consider the /-error-p-erasure (n x m) q linear 
network in Definition [201 Consider a coding scheme defined in Definition [37] Then, the coding scheme 
is called universally t-error-p-erasure-correcting, if every S e S can be uniquely determined from Y T = 
AX T + DZ T e Fj„ for VA e F^ x " : rank A > n - p, VX e X s , VD e F^ x ', VZ e F^,„. 

As defined in Definition [381 the capability of universally /-error-p-erasure-correcting is guaranteed on 
any underlying network code, and hence it is called universal. Silva et al.'s secure network coding scheme 
|[34l Section VI] uses MRD codes C\ and C2, and it is universally J-error-p-erasure-correcting when the 
minimum rank distance |[T4l of C\ is greater than 2t + p. 

Here, we explain the coding scheme executed at the source node in the case of both a coherent system 
and a noncoherent system. 

1) Case of Coherent System: First we explain the fundamental case of a coherent network coding 
system, i.e., the transfer matrix A is known to the sink node. In this case, the source node simply encodes 
a secret message S e S = ¥ l qm to the transmitted n packets X e X s = rf/(S) by the nested coset coding 
scheme with Ci,C2, as explained in Section [Tll-Bl And then, Vs = Ci/Cj- Finally, X e ¥ n qm is regarded as 
anmxn matrix over ¥ q , and transmitted through the network. 

2) Case of Noncoherent System: As described in Section Ull-Al the transfer matrix A is unknown to 
the sink node in the case of a noncoherent network coding system. In this case, the source node appends 
appropriate packet headers to the packets generated by the nested coset coding scheme. The addition of 
packet headers is called the lifting construction ll3~5Tl . Since the information of GCV's are carried by the 
packet headers in the lifting construction, this allows the scheme to be decoded when A is unknown. 

The lifting construction [1351 of the nested coset coding scheme is described in detail as follows. Let 
4>m : ¥ q m — > F^ ,xl be an F 9 -linear isomorphism that expands an element of F^ as a column vector over 
¥ q with respect to some fixed basis for ¥ q m over ¥ q . Let m = m - n, and let C\ Q F"_ and C2 £ Ci be 
a_ linear code and its subcode, respectively. By the nested coset coding scheme with Ci,C2, we generate 
X e Ft from a secret message S e S = F^_. Then, expanding X = [Xt, . . . ,X n ] e Ft to an m x n matrix 

cf>m(X) = [(pm(X\), . . . , 4>m{X n )] s F™ x " over the base field ¥ q , we construct X e F^,„ of transmitted n packets 

that is represented as X J = \l 0m(X) T ] 6 ^ q xm as a matrix over ¥ q , where the identity matrix / e F^ x " is 
the packet header. Hence, X s and P s is given by 



Xs = Xsm - i X = 



:Xeif,(S)Y, 



I 

rs = rm = \XeX SM :S e¥>\, (31) 



where X e ¥ n qm is regarded as an m x n matrix over ¥ q . Here, recall that we defined S(X) c F^ for 
X = [Xi, . . . ,X n ] e ¥ n qm as an F^-linear subspace of ¥ q m spanned by X\, . . . ,X n , and note that dim F(J S(X) = n 
is always guaranteed for all X e X s ,\\n an d all ^sjift e ^Nft by the packet header I. 
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Remark 39. The packet headers of the lifting construction do not convey the information generated from 
the secret message, and convey only the information of the GCV's (and errors). Thus, appending packet 
headers does not affect the security given in Section [TlTJ 

The following subsections analyze the universal error correction capability of the nested coset coding 
scheme in the coherent system, and also analyze that of the lifting construction of the nested coset coding 
scheme in the noncoherent system. 

B. Brief Review of Silva et al. 's Approach 

First we briefly review the approach of [32, Section III]. Consider a transmission of data over a channel 
in which there exists an adversary. Let the channel be specified by a finite input alphabet P (e.g., a code), 
a finite output alphabet <3 (e.g., a vector space), and a collection of fan-out sets Q P c Q for all P e P 
(e.g., a collection of cosets). For each input Pep, the output Q of the channel is constrained to be in 
Q P but is otherwise arbitrarily chosen by an adversary. A decoder for P is any function P : Q — » fU {/}, 
where / £ P denotes a decoding failure, i.e., detected errors. When P e P is transmitted and Q e Q P is 
received, a decoder is said to be successful if P(Q) = P. We also say that a decoder is infallible if it is 
successful for all Q e Q P and all Pef. 

Assume that the fan-out sets for a input P is given as 

Q P = {QeQ: A(P,Q)<t}, 

for some A : P x Q — > N. The value A(P, Q) is called the discrepancy between P and Q for the given 
channel, which represents the minimum effort required for an adversary in the channel to transform P to 
Q. The value t represents the maximum effort of the adversary allowed in the channel. The problem is to 
decode P from Q by correcting at most t discrepancy. Then, the minimum-discrepancy decoder is defined 
by 

P = argminA(P, 0. 

Pep 

The relation between the discrepancy function and the error correction capability of this decoder was 
given in [32] as follows. 

Definition 40 ( Ol Definition 1]). For a discrepancy function A : P x Q -> N, let 6(P,P') = 
min {A(P, Q) + A(P', Q) : Q e Q). Then, A is said to be normal if, for all P,P' eP and all < i < 6(P, P'), 
there exists some Q e Q such that A(P, Q) = i and A(P, Q) = 6{P, P') - i. 

Theorem 41 ( BH Proposition 1, Theorem 3]). Let 6(P) = rnin {6(P, P') : P,P' eP,P± P'}. Suppose 
A(-, •) is normal. Then, the minimum discrepancy decoder P is infallible if and only if t < [(6(P) - 1)/2J. 

C. Universal Error Correction Capability of Secure Network Coding over Coherent Network Coding 

By applying the above approach [32, Section III] to the secure network coding over the coherent network 
coding system in Section IIV-AU this subsection derives the universal error correction capability of the 
nested coset coding scheme with C\,C2 for given A, in terms of the RGRW. 

Recall that the received packets Y are given by Y T = AX 1 + DZ T in the setup of Section IIII-Bl and 
that X € ¥ n qm is chosen from a set Xs e P s corresponding to S e S by a certain coding scheme defined 
in Definition [371 Note that we do not restrict the coding scheme to the nested coset coding scheme here. 
From now on, we write X = Xs for the sake of simplicity. Suppose that the transfer matrix A is known to 
the sink node as in Section IIV-AU Here, we define the discrepancy function between X and Y for given 
A by 

A A (X, Y) = min [r e N : 3D e Fj xr , 3Z e , 3X 6 X, Y T = AX T + DZ T ) . (32) 
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This definition of A A (X, Y) represents the minimum number r of error packets Z required to be injected in 
order to transform at least one element of X into Y, as [33, (9)]. For the discrepancy function A A (X, Y), 
the minimum discrepancy decoder is given as 

X = argminA^GY, Y). 

Note that "the minimum discrepancy decoder P is infallible" in Theorem @T| means that for the discrepancy 
function A A (X, Y), "any t error packets can be corrected by the coding scheme for given A using the 
minimum discrepancy decoder X" In the following, we will show that A A (X, Y) is normal. 
We define the A-distance 11321 between X and X', induced by A A (X, Y), as 

S A (X, X') ± min {A A (*, Y) + A A (X', Y) : Y e FjL) , (33) 

for X, X' e P s . Let 8 A {P S ) be the minimum A-distance given by 

5 A (P S ) = min {5 A (X, X') : X, X' e P s , X * X'} . 

Lemma 42 ( [J32l Lemma 4]). min [r e N : D e F^ xr , Z e W q „„ Y T = AX 1 + DZ T ) = d R (XA T , Y). 

Lemma 43. A A (X, Y) = min [d R (XA T , Y) : X e X}. 
Proof: From Lemma |42] we have 

A A (X, Y) = min [r e N : D e F^ xr ,Z e F r ym ,X e X, Y T = AX T + DZ T ) 

= min {{r e N : D e F^ xr , Z e F r yl „, Y T = AX T + DZ T ) : X e X) 
= min [d R (XA T , Y) : X e x] . 

■ 

Lemma 44. For X, X' e P s , we have 

6 A (X, X') = min { d R (XA T , X'A T ) : X e X, X' e X'} . (34) 

Proof: First we have 

6 A (X, X') = min {a a (*, Y) + A A (X', Y) : Y 6 FjL} 

= min { min [d R (XA T , Y) : X e x] + min [d R (X'A T , Y) : X' e X'} : Y e Pj,) 

= min { d R (XA T , Y) + d R (X'A J , Y) : X e X, X' 6 X', Y e Fj„ } . (35) 

The rank distance satisfies the triangle inequality d R (XA T ,XA T ) < d R (XA T , Y) + d R (X'A T , Y) for Vy e Fj, 
[fT4l . This lower bound can be achieved by choosing, e.g., Y = XA T . Therefore, from (I331 l. we have (|34l . 

■ 

Lemma 45. The discrepancy function A A (X, Y) is normal. 

Proof: Let X, X' e P s and let < i < d = 6 A (X, X'). Then, d = min [d R (XA T , X'A T ) :XeX,X'e X'} 
from Lemma HU Let X e X and X' e X' be vectors satisfying d = d R (XA T ,X'A T ). Here, we can always 
find two vectors W, W e such that W + W = (X' - X)A T , d\m^Q(W) = i and dim F? S(W) = d - i, 
as shown in the proof of fl32l Theorem 6]. Taking Y = XA T + W = X'A T -W, we have d R (XA T , Y) = i 
and d R (X'A T , Y) = d - i. We thus obtain A A (X, Y) < i and A A (X', Y) < d - i from Lemma |43l On the 
other hand, since 6 A (X, X') = d, we have A A (X, Y) + A A (X', Y) > d for any Y e F n q ,„ from d33]). Therefore, 
A A (X, Y) = i and A A (X', Y) = d-i hold. ■ 
As [32, Theorem 7] obtained by [|32l Theorems 3 and 6], we have the following proposition from 
Theorem [41] and Lemma [45] 



24 



Proposition 46. Consider the /-error (n x m) q linear network in Definition [20] Suppose that for a secret 
message S e F[ y ,„, the transmitted n packets X e X are generated by a coding scheme defined in 
Definition [37] Then, the minimum discrepancy decoder for A A (X, Y) is infallible for any fixed A if and 
only if t < l(S A (P s ) - 1)/2J. - ^ 

This proposition implies that the coding scheme given in Definition [37] is guaranteed to determine the 
unique set X against any t packet errors for any fixed A if and only if 6 A CP $) > It. Here we note that if 
X is uniquely determined, S is also uniquely determined from Definition [37] 

In the following, we restrict the coding scheme to the nested coset coding scheme with C\ and C 2 , and 
present a special case of Proposition [46] expressed in terms of the RGRW. That is, we set S = ¥ l qm and 
fs = CJC2 as defined in Definition I2T1 

Lemma 47. 5 A (Ci/C 2 ) = mm{d R (XA T ,X'A T ) : X,X' e C U X' -X <t C 2 }. 
Proof: 

5 A {C X IC 2 ) = mm{6 A (.X,X') : X,X' e CJC 2 ,X * X'} 

= min j min [d R (XA T , X'A T ) : X e X,X' e X'} : X, X' e C1/C2, X + X'} 
= min [d R (XA T ,X'A J ) : X e X e d/C 2 ,X' e X' e C { IC 2 ,X± X'} 
= mm{d R (XA T ,X'A J ) : X,X' g C u X' - X <£ C 2 ] . 

U 

Lemma 48 ( [|26l . B33l). For an arbitrary vector x G F^„, and an arbitrary matrix A e F^ x ", we have 
d\m ¥q Q(xA T ) > [dim F(; S(x) + rank A - n] . 

Lemma 49. Fix x G ¥" q „, and pe{0...,«} arbitrarily. Then, there always exists A e F^ x " with rank A = n-p 
that satisfies the equality dim Fi? S(M T ) = [dim F(j S(x) - p] in Lemma [48] 

Proof: First represent an m-dimensional vector x G F^,„ over as an m x n matrix over the base 
field F q , denoted by M x e F™ XM . Here we note that d\m ¥q Q(xA T ) = rankM v A T . We define by (M x ) c F^ 
and (A) cFJ row spaces of M x and A over ¥ q , respectively. The rank of M X A T is given by rankM v A T = 
rankA - dim {{M x y n (A)) [26], where <M t ) ± e F^ is the dual of (M x ) over F> q , If dim <M. Y > ± < n - p, 
i.e., if rankM r = dim Fi? S(x) > p, we can always choose A satisfying rankA - n- p and (A) □ (M x )^. 
Then, for such A, we have (M x y = {M x y n (A) and hence 

rank M X A T = rankA -dim ((M x ) x n <A)) 
= n- p- dim (M^)" 1 

=n-rankM r 

= rankM^ - p 
= dim F9 S(x) - p. 

On the other hand, if dim (M x ) x > n - p, i.e., if rankM t = dim F(? S(X) < p, we can always choose A 
satisfying rankA = n- p and (A) g (M x y. Then, for such A, we have (A) = (M^ 1 - n (A) and hence 

rank M X A T = rankA - dim «M X > X n (A)) = 0. 

=rankA 

Therefore, the lemma is established. ■ 

Theorem 50. Consider the /-error (n x m) q linear network in Definition [20] Then, the nested coset coding 
scheme with C\,C 2 in Definition [2J] is universally (i.e., simultaneously for all A e F^ x " with rank deficiency 
at most p) f-error-p-erasure-correcting if and only if M R:l (Ci,C 2 ) > 2t + p. 
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Proof: For the rank deficiency p = n- rank A, we have [d R (X, X') - p] + < d R (XA T ,X'A J ) from 
Lemma |48l and there always exists A e F^ x " depending on (X, X') such that the equality holds from 
Lemma [49] Thus, from Lemma [47] we have the following inequalities for an arbitrary fixed A with 
rankA = n- p. 

min 5 A (CdC 2 ) = [min {d R {X,X') :X,X'e C X ,X' -XiC) -p] + 

AeF^ x ":rankA=n-p 

= [mm{d R (X,0) :XeC u XiC 2 }-pY 
= [M R ,i(C u C 2 ) - pT • (by Lemma [HJ 

Thus, for 1 < i < p, we have 



and hence we obtain 



min 6 A (Ci/C 2 ) < min 6 A (Ci/C 2 ), 

A:rankA=n-p Arrank A=n-(p-i) 



min 6 A (Ci/C 2 )= min 6 A (Ci/C 2 ) 

A:rankA>n-p A:rankA=n-p 



= [M R , l (C u C 2 )-p] + . 
Therefore, from Proposition |46]for P s = C\/C 2 , the theorem is proved. 



D. Extension to Noncoherent Network Coding System 

In this subsection, we extend the analysis for the coherent network coding system, given in Section ITV-Ci 
to one for the noncoherent system in the setup of Section IIV-A21 We derive an expression for the error 
correction capability of the lifting construction [35] of the nested coset coding scheme in terms of the 
RGRW. 

As in Section IIV-CI we first consider the correction capability of the generalized coding scheme defined 
in Definition [37] Recall that in the noncoherent network coding system, the transfer matrix A at the sink 
node is unknown. Define the discrepancy function between X = X s e Ps an d Y for unknown A with at 
most p rank deficiency, as follows: 

A P GY, Y) 

= min {r e N : 3D e Ff°", 3Z 6 ¥' qin ,3A 6 F^ x ", 3X e X, Y T = AX T + DZ T , rankA > n - p] 

= min {a a GY, Y):Ae F^ x ", rankA > n - p) , (36) 

where the second equality is obtained by (|32T ). The definition of A p (X, Y) represents the minimum number 
r of error packets Z required to be injected in order to transform at least one element of X into Y, for at 
least one transfer matrix A satisfying rankA > n - p. For A P (X, Y), the minimum discrepancy decoder is 
given as 

X = argminA p (,Y,y). (37) 

We also define A-distance between X and X', induced by A P (X, Y), as 

6 P (X, X') ± min [A p (X, Y) + A P (X', Y) : Y e Fj„) 

= min [A A (X, Y) + A A >(X', Y) : A, A' e F^", Y e Fj„, rankA > n - p, rankA' > n - p) , 
where the second equality is obtained by (|36l ). Let A p CP s ) be the minimum A-distance given by 

6 P CP S ) ± min [6 P (X, X') : X, X' e P s , X * X'} . 
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Observe that from Lemma [43] we can rewrite A p (X, Y) as 

A p (X, Y) = min [d R (XA T , Y) : X e X, A e Ff*", rank A > n - p] . (38) 

Also, from Lemma [44] we have 

5 P (X,X') = mm{d R (XA J ,X'A' T ) : X e X,X' e X',A,A' e F^ x ", rank A > n - p, rank A' > n - p] . (39) 

Lemma 51. The discrepancy function A p (X, Y) is normal. 

Proof: Let X,X' e 9 S and let < i < d = 6 P (X,X'). Let A, A' e F^ x " be fixed matrices that 
minimize (1391) , and then suppose that X e X and X' e X' are vectors satisfying d = d R (XA T ,X'A' T ). 
Here, we can always find two vectors W, W e FL such that W + W = X'A' T - XA T , dim Fg S(W) = i and 
d\m ¥q Q(W) = d-i, as shown in the proof of [|32l Theorem 13]. Taking Y = XA T + W = X'A' T - W, we 
have' d R (XA T , Y) = i and d R (X'A' T , Y) = d - i. We thus obtain A p {X, Y) < i and A p (X', Y) < d - i from 
d3H). On the other hand, since 6 P (X, X') = d, we have A p (X, Y) + A P (X', Y) > d for any Y e ¥ n ql „ from (|36]). 
Therefore, A P (X, Y) = i and A P (X', Y) = d - i hold. ■ 
As lT3~2l Theorem 14], we have the following proposition from Theorem I4T1 and Lemma I5T1 



Proposition 52. Consider the /-error in x m) q linear network in Definition [20J Suppose that for a secret 
message S e S, the transmitted n packets X e X are generated by a coding scheme defined in Definition 137] 
Then, the minimum discrepancy decoder for A p (X, Y) is infallible if and only if t < l(6 p CPs) — 1)/2J. ■ 



This proposition implies that the coding scheme given in Definition [37] is guaranteed to determine the 
unique set X against any t packet errors if and only if 6 p CPs) > 2?. 

In the following, we restrict X to that generated by the lifting construction [1331 of the nested coset 
coding scheme, as described in Section IIV-A21 and we shall express the error correction capability given 
in Proposition [52] in terms of the RGRW. Recall that in the lifting construction of the nested coset coding 
scheme, C\ Q F|~ and C2 £ C\ are a linear code and its subcode for m = m - n, respectively. Also recall 
that S = F'_, X s = X s ,\\n and f s = ^"lift defined in ([3TI) . We will consider the error correction capability 
in this setup. Here, we introduce the following proposition given in [|32l . 

Proposition 53 ( fl32l Proposition 18]). For X,X' e W q ,„, we have 

min[d R (XA T ,X'A' T ) : A, A' e Ff°', rank A > n - p, rank A' > n - p) 
= [dim F? (Q(X) + S(Z')) - min{dim F? S(Z),dim F? S(Z')} - pf . 
From this proposition, we have the following lemma. 

Lemma 54. S p (P m ) = mmi^[d R (X,X') - pf : X,X' 6 C U X' -X $ C 2 }. 

Proof: Since the transmitted packets are generated by the lifting construction of the nested coset 
coding scheme, we have dim F[? S(X) = n for all X e X and for all X e P m . For X e X e P m and 
X' e X' e P m , we thus have 



dim Ff (S(Z) + S(X')) - min 



dim F S(X),dim F MX')}-p 



rank 
rank 



fa(X) fa(X') 



MX) (Pm(X')-MX) 



- min{n, n) - p 
-n - p 



=«+rank(0 s (X')-0 s (^)) 
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= rank( fo(r)-fe(X) )-p 

=fe(F-X) 

= dim F? S(Z'-Z)- P 
= ^(Z,X')-p, 

where in the first equality, X and X' e F^ m are regarded as m x n matrices over F cy , X T = [/ <fe(X) T ] 
and X' T = [/ (fe(X') T ], respectively. Thus, by combining Proposition |53l and (1391 ), we have the following 
equation for X sm ,X s >m g Pirn- 

<5p(^,iift,^Mift) = min{[j R (X,r) 

= min|[j R (X,r) 

Therefore, we finally have 

Wit.) 

= min {c5 p (*, X') :X,X'e P m , X + X'\ 

= min{min{[^(X,r) -p] + :Xe^(S),X' e <A(5')} : <KS),W) e d/C 2 ,<A(5) * <A(5')} 
= min{[j s (X,r) -pf:Xe^)e Ci/C 2 ,X' e (A(S') e Ci/C 2 ,^(S) * 
= min |[j R (Z, r ) - p] + : X, X' e Ci , X' - X £ C 2 } . 

■ 

This lemma yields the following proposition. 

Proposition 55. Consider the f-error (n x m) q linear network in Definition |20l Consider the lifting 
construction of the nested coset coding scheme with Ci c F"~ and C 2 5 Ci for m = m - n, as 
described in Section IIV-A2I Then, the scheme is universally /-error-p-erasure-correcting if and only if 
M RA (C U C 2 ) > 2t + p. 

Proof: From Lemma |5U we have 

SpiVm) + P = min {d R (X, T) : X, T e C u X' - X i C 2 ) 
= min [d R {X, 0):XeC u XiC 2 } 
= M RA (Ci,C 2 ). (by Lemma H3 

Thus, from Proposition [52] for !Ps = Pm, the proposition is proved. ■ 
This proposition implies that, by applying the lifting construction, the correction capability of the nested 
coset coding scheme is maintained even over the noncoherent network coding system. 

V. A Construction of Secure Network Coding and Its Analysis 

In this section, we propose a construction of the nested coset coding scheme with Ci and C 2 , and show its 
universal security performance and universal error correction capability by the analyses in Section ITTll and 
Section [IV] By adding the error correction, the proposed scheme is an extension of the universal strongly 
secure network coding scheme based on a systematic MRD code, presented in our earlier conference 
paper [fT9l . As well as the scheme of Silva and Kschischang ll34ll . the proposed scheme guarantees the 
universal equivocation 0dimCi-y SjX = H(S) when the conditional distribution of X given S is uniform on 
if/(S), and it is universally f-error-p-erasure-correcting when n-dimCi + 1 > 2t+p. Moreover, unlike Silva 
et al.'s scheme, our scheme guarantees the universal maximum strength Q. = dim C\ - 1, which means that 



p] : X e Xs,m,X' e Xs>,\\ftj ■ 

p] + :Xe^(S),X' e^(5')}. (by (ED) 
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no part of the secret message is deterministically revealed from the eavesdropped information observed 
from at most dimCi - 1 links over any underlying network code. An explicit construction of the nested 
coset coding scheme satisfying Q. = dimCi - 1 had remained an open question [|35l , and hence we solve 
this open question by the proposed scheme. 

For the sake of simplicity, this section considers the fundamental case of a coherent network coding 
system. In the case of noncoherent network coding, we can simply customize the proposed scheme by 
the lifting construction as we described in Section IIV-A2I 

A. Theorems for Nested Coset Coding Scheme with MRD codes 

In this subsection, we first introduce some theorems for the nested coset coding scheme using MRD 
codes C\ Q WL and C2 £ C\. These theorems can be used to reveal the security performance and error- 
correction capability of the scheme proposed by Silva and Kschischang 11341 , and they will be also used 
in the next subsection to clarify the performance of our proposed scheme. 

First, we present the following two theorems that are established regardless of the choice of iff in the 
nested coset coding scheme. For the universal equivocation p ,p i X , since the dual of an MRD code is also 
MRD, we immediately have the following theorem from Proposition [19] and Proposition |28l 

Theorem 56. Assume m > n. Let C\ c ¥ n qm be a linear code and let C2 5 C\ its subcode. Suppose that 
Ci is an MRD code. Write / = dimCi - dimC2. Then, for the nested coset coding scheme with C\ and 
C2 in Definition I2T1 the universal equivocation is in the range of H(S) - D(X\\U^s)\S) — dimC2] + < 
®mP SJ[ < I - [m -dimC 2 ] + for < /u < dimCi. ■ 

This theorem shows that if X is uniform, the universal equivocation is &d\mc 2 ,Ps^ = H(S). Also for the 
universal error correction capability, we immediately have the following theorem from Corollary [16] and 
Theorem 1501 

Theorem 57. Assume m > n. Let C\ Q ¥ l q „, be a linear code and let C2 £ C\ its subcode. Suppose that C\ 
is an MRD code. Then, the nested coset coding scheme with Ci and C2 in Definition [2T] is universally 
/-error-p-erasure-correcting if and only if It + p < n - dim C\ + 1. ■ 

Next, we present a theorem for the universal maximum strength, which is dependent on the setting of 
iff unlike Theorem [56] and Theorem [57] We have the following theorem immediately from Corollary [16] 
and Theorem [32] since the dual of an MRD code is also MRD. 

Theorem 58. Assume m > n. Let C\ c ¥ n q „, be a linear code and let C2 £ C\ its subcode. Write 
/ = dimCi - dimC2. Let a bijective function iff : PL— > C1/C2 be fixed in such a way that for all 
Z Q {1, . . . , /}, an F^. -linear subspace C^x defined in (1261) is an MRD code with dim C^x = dim Ci - \Z\ 
and d R {Cj,x) = ^ _ dim Ci-|^| + l. Then, the nested coset coding scheme with C\, C2 and iff in Definition [2T1 
guarantees the universal maximum strength Q. = dimCi - 1. ■ 

Silva and Kschischang lf34l proposed a nested coset coding scheme with C\ c WK, and C2 £ C\. 
In their scheme, both C\ and C2 are MRD with m > n, and hence Theorem [56] and Theorem [57] are 
simultaneously established. However, in their scheme the bijective function iff is specified in such a way 
that the condition in Theorem [58] is not always satisfied. Thus, their scheme does not always guarantee 
the universal maximum strength Q = dimCi - 1. 

In the next subsection, we present an explicit construction of the nested coset coding scheme that 
satisfies all the assumptions in Theorems [56] [57] and [58] simultaneously. 

B. Description of the Proposed Scheme 

Assume that the degree m of the field extension ¥ qm satisfies m > I + n. Then, the proposed scheme 
generates the transmitted n packets X e F' q „, by the following setting of the nested coset coding scheme. 



29 



First, we set the linear codes C\,C2 £ F" . Let D be an [I + n,k] systematic MRD code with 



■f 



. Let L - {/+!,...,/ + «} be an 



dimD = k{> I) and a systematic generator matrix G = [/ P 

index set. Define C\ - Px(!D) as a punctured code of T) to the index set JL. Also define C2 - T>£ as a 
shortened code of T) to the index set £.. Here we note the following facts for Ci,C 2 . Since an MRD code 
is also MDS, a k x k matrix over F q „, consisting of arbitrary k columns of G is always nonsingular, and 
hence dim Pr(2)) = dim C\ = k. On the other hand, since D is systematic and £, 2 {k + 1, ...,/ + n}, the 
shortening of D to X simply reduces the dimension of D over ir fl »j by Z, i.e., dim T) L = dim C 2 = k - I. 
Also, we should note that from the definition of the punctured code and shortened code, we have C 2 £ Ci, 
and dimCi - dimC 2 = dimCi/C 2 = /. 

Next, we set the bijective function if/ : F^ m — > Ci/C 2 . We define submatrices of the systematic generator 
matrix G of T) as follows. 



G = 



/ 

<9 



AG 

G 2 



Z rows 
I k — I rows 



/ columns n columns 



Then, we set if/ by AG e F^f as follows 



i/r(S) = SAG + C 2 eCi/C 2 . 



(40) 



We note that Gi - [ e F^" is the generator matrix of C\, and G 2 e F^,7 ?)x " is the generator matrix of 
C 2 . Also note that since rank AG = / from dimCi - dimC 2 = rankGi - rankG 2 = I, if/ is bijective. 

In our scheme, we execute the nested coset coding scheme with these settings of C\, C 2 and if/, and 
generate the transmitted packets X. Then, the source node transmits X over the network as described in 
Section IIII-Al and the sink node receives Y and executes the decoding operation on Y by the minimum 
discrepancy decoder given in IIV-CI The universal security performance and the universal error correction 
capability of our scheme is clarified in the next subsection. 

Remark 59. Consider the case where T> is not a systematic MRD code but a systematic Reed-Solomon 
code in the above settings. Then, this nested coset coding scheme becomes the strongly-secure secret 
sharing scheme of Nishiara and Takizawa [28 J. Similarly to the relation between the wiretap channel 
II and secure network coding, our scheme can be viewed as a generalization of their scheme [|28~1 for 
network coding. 



C. Analyses on the Proposed Scheme 

This subsection presents the analyses on the proposed scheme described in the previous subsection. We 
first reveal the security performance and error correction capability of our scheme. Next, we discuss the 
required packet length in our scheme. 

1 ) Security Performance and Error Correction Capability of the Proposed Scheme: Here, we perform 
analyses on the security performance and the error correction capability of the proposed scheme using 
the theorems presented in Section IV- A I 

First, in order to show that assumptions in Theorems I56TI581 are satisfied in our scheme, we give the 
following lemmas about a shortened code and a punctured code of a systematic MRD code. 

Lemma 60. Let m > N, and C e F^„ be a systematic MRD code of length N OVCr Jr.-,/" . For a subset 
IQ{1,...,N} satisfying I 2 {dim C + 1, . . . , N}, let Cj c F^! be a shortened code of C c Fj„ to I. Then, 
Cj is an MRD code with dim Cj = dim C - N + \I\ and d R (Ci) = N - dim C + 1. 

Proof: Since C is systematic and I 2 {dim C + 1, . . . ,N}, the shortening of C to I simply reduces 
the dimension of C over Jr/7'" by N - \I\, i.e., dim Cj = dim C - N + 



30 



Since m> N and shortened codes can be viewed as subcodes, we have 

d R (d) > d R (C) 

= N -d\mC+ 1. 

On the other hand, from m> N and the Singleton-type bound for the rank distance given in Proposition [T4l 
we have 

d R (Ci)<\I\- dim Cj +1 
= N -d\mC+ 1. 

Therefore, we have d R {Ci) = N - dim C + 1. ■ 

Lemma 61. Let m> N, and C e F^L be an MRD code of length N over Jt/j'» . For a set I c {1,,..,N} 
satisfying \I\>N- dim C and |J| > dim C, let P X (C) c f£! be a punctured code of C to J. Then, P X (C) 
is an MRD code with dim P T (C) = dim C and d R (Pj(C)) = \I\ - dimC + 1. 

Proof: Since an MRD code is also MDS, a dimC x dimC matrix over irv,'H consisting of arbitrary 
dimC columns of the generator matrix of C is always nonsingular. Thus, the dimension of a punctured 
code Pj(C) of length |J|(> dimC) is dim P T (C) = dimC. 

The puncturing of C to I reduces the minimum rank distance of C by at most N - \I\ (< dimC) from 
the definition of rank distance Ifl4l . This implies that d R (Pj(C)) > d R (C) - N + From m> N, we thus 
have 

d R (P T (C)) > d R (C) -N + \I\ 
= \I\ -dimC+ 1. 

On the other hand, from m> N and the Singleton-type bound for the rank distance given in Proposition [141 
we have 

d R (P T (C))<\I\-d\mPx(C) + l 
= \I\ -dimC+ 1. 

Therefore, we have d R (P T (C)) = \I\ - dimC + 1. ■ 

By the above lemmas, we finally derive the following propositions for the universal security performance 
and the universal error correction capability in our scheme, and show that our scheme satisfies Theorems 
|56l [571 and [58] simultaneously. 

Proposition 62. Consider the nested coset coding scheme proposed in Section IV-B1 Then, the universal 
equivocation 0^,p sx of the scheme is in the range of H(S) - D(X\\U,f,( S )\S) - [p, -dimC2] + < ®fi,p sx < 
I - \p - dim C 2 ] + for < ju < dim d = k. 

Proof: From Lemma [601 since m > I + n, we have dimC2 = k - I, and C2 is an MRD code with 
d R (C2) = n + l — k + l. Thus, from Theorem [561 we have the proposition. ■ 

Proposition 63. The nested coset coding scheme proposed in Section IV-Bl is universally /-error-p-erasure- 
correcting if and only if 2t + p < n - k + 1. 

Proof: From Lemma I6T1 since m > l + n, we have dim C\ = dim D = k, and C\ is an MRD code with 
d R (C\) = n - k + 1. Therefore, the proposition is proved from Theorem |57] ■ 

Proposition 64. The nested coset coding scheme proposed in Section IV-Bl has the universal maximum 
strength Q = k - 1 . 

Proof: Recall dim D = k. For a subset _Z Q {1, . . . , /}, let ~Z - {1, ...,/,/+ 1, + n\\Z- Denote 
by Th^ c F^' HZI a shortened code of D to Z- Since D Q F^f is a systematic MRD code with m>l + n 
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and X 2 {/ + 1, . . . , I + n) 2 [k + 1, . . . , / + n] from / < k, Th^ is an MRD code with dim Th^ = k-\Z\ and 
d R (!Dy) = l + n- k+ l from Lemma [60] In the proposed scheme, we can see that for Z, C\z defined 
in ([26l can be defined as a punctured code of to an index set {/ + 1 - \Z\, ...,/ + n - \Z\}, i.e., it is 
obtained by eliminating first I - \Z\ coordinates of codewords in 2>=f, from the definition of i/r. Hence, 
from Lemma |6U C^x £ is an MRD code with dimC3,2: = k - \Z\ and d R {C^x) = n - k - \Z\ + 1. 
Therefore, we have the proposition from Theorem |58] ■ 

Here we note that in the proposed scheme, the exact value of Q derived in Corollary |64] coincides with 
the upper and lower bounds of Q that are respectively given by Proposition [33] and Proposition |34l The 
reason is as follows. For i e {1, . . . , 1} and {/} = {1, . . . , l + n}\{i}, define the punctured code D u = Py- } (!D) 
and the shortened code D 2 j - £>jr } - Then, D 2i is MRD with dim D 2 ,i = k - 1 from Lemma |60] Since the 
dual of an MRD code is also MRD, we have M RJ (2^- ; ., = rc-dim T>\ x . + 1 = k from Corollary [T6] Thus, 
we obtain Q, > k-l from Proposition 1341 On the other hand, the subcode C\{f\ is MRD with dim =k—\ 
as shown in the proof of Corollary |64] We thus have Mr^C^ m,Cf) = n - dimC^i + 1 = k. Therefore 
Q < k - 1 holds from Proposition [333 

2) Required Packet Length m: Assume that m = I + n - 1 in Lemma [601 and Lemma [6T1 Then, from 
their proofs, Lemma 1601 and Lemma I6T1 do not always hold. This implies that Propositions I62H641 do not 
always hold if the packet length is m < I + n in our scheme. Hence, m > I + n is the necessary condition 
for our scheme to always satisfy Propositions |62| - |64l simultaneously. 

On the other hand, in [33, Theorem 8], Silva et al. showed only the existence of the nested coset 
coding scheme satisfying the universal maximum strength Q. = dimCi - 1 if the packet length is m > 
(/ + n) 2 /8 + log (? 16/. In contrast, we have demonstrated an explicit construction of the nested coset coding 
scheme satisfying Q. = dimCi-1 whenever m > l+n. Furthermore, we always have l+n < (l+n) 2 /8+log^ 16/ 
for / > 1 and n > 2. Therefore, our condition for the packet length is less demanding than that of Silva 
et al.'s sufficient condition. 



VI. Conclusion 

In this paper, we have introduced two relative code parameters, the relative dimension/intersection 
profile (RDIP) of a linear code Ci Q W qm and its subcode C2 £ Ci and the relative generalized rank weight 
(RGRW) of C\ and C 2 . We have also elucidated some basic properties of the RDIP and the RGRW. 
We have clarified the relation between the RGRW and the Gabidulin's rank distance lfl4l . that between 
the RGRW and the relative generalized Hamming weight [23 J, and that between the RGRW and the 
relative network generalized Hamming weight [42] . As applications of the RDIP and the RGRW, the 
security performance and the error correction capability of secure network coding based on the nested 
coset coding scheme with C\ and C 2 have been analyzed and clarified. We have revealed that the security 
performance and the error correction capability, guaranteed independently of the underlying network code, 
are expressed in terms of the RDIP and the RGRW. Further, we have proposed an explicit construction of 
the nested coset coding scheme, and have analyzed its universal security performance and universal error 
correction capability by using the RDIP and the RGRW. As well as the scheme of Silva and Kschischang 
(341, the proposed scheme guarantees, independently of the underlying network code, that no information 
of the secret message is obtained from any fi < dimC2 tapped links when the transmitted packets are 
uniformly distributed over Ci, and that the secret message is correctly decodable against any t error 
packets injected somewhere in the network and p rank deficiency of the transfer matrix of the sink node 
whenever n - dim C\ + 1 <2t + p holds. Moreover, our scheme also always guarantees that no part of the 
secret message is revealed to the adversary with jj. < dim C\ - 1 tapped links when the secret message 
and transmitted packets are uniformly distributed, unlike Silva et al.'s scheme 11331 . [1341 . 

The design of a linear code C\ and its subcode C 2 for the desired RGRW is left as an open problem for 
future work. Another possible avenue is to derive other types of bounds of the RGRW, e.g., generalizing 
the Gilbert- Varshamov bound of the rank distance [fl~5l for the RGRW, etc. 
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